From: Tom Serface on
I still don't see how using JavaScript could be a security issue? You can't
run programs in the client space or access the users devices.

Tom

"Joseph M. Newcomer" <newcomer(a)flounder.com> wrote in message
news:29ftp5d0jbgjm1qoapshs19eg4ltd6nc2e(a)4ax.com...
> See below...
> On Sat, 13 Mar 2010 23:37:23 -0500, Hector Santos
> <sant9442(a)nospam.gmail.com> wrote:
>
>>Its really quite fasinating how the mindset has evolved regarding
>>zero-day discoveries:
>>
>> - OLD RULE: Turn off javascript
>> - NEW RULE: Read tons of documents
>>
>>The point, watch how they now handle IE exploits found. No longer
>>will you see anything in their notes that says:
>>
>> Turn off ActiveX
>> Turn off Javascript
>>
>>and at best I can tell, the reason is because turning it off BREAKS
>>all kinds of other stuff, including 3rd party or their own.
>>
>>I was amaze at the China/Google zero-day IE security bug where in NO
>>WHERE in the Microsoft security announcements did it says "Turn off
>>Javascript" and now the Chinese will not be able to exploit you.
>>
>>Look, no browser vendors what you to turn off javascript. In fact,
>>GOOGLE CHROME was the first browser not to offer the user the option
>>to even turn it off. This is the beginning for others to follow.
> ****
> This is simply not true, I was turning JavaVirus and ActiveVirus off years
> ago in IE.
>
> I was taken out by some scripting eploits years ago, and it is NEVER going
> to happen
> again!
>
> To add insult to injury, IE has this incrdibly STUPID idea of categorizing
> sites as
> "Internet", "Trusted", etc., instead of letting me customize the actions
> to an individual
> site and ONLY to that site! So I can't say "I trust site X". Also, if
> you use IE8
> "secure mode" most sites break. There is no provision for my requesting
> that a particular
> Web site (for me, that would be 99.999% of all Web sites) be denied access
> to my machine
> state (files, Registry, etc.) since most JavaVirus code really is only
> dealing with screen
> interaction (or so it would like me to believe) and the JavaVirus
> interpreter is
> essentially design to be unsafe.
>
> So when Microsoft says they "care about security" I believe they are
> lying. They not only
> don't care, they are actively HOSTILE to anyone who wants a secure site!
> joe
> ****
>>
>>Now web sites are taking the approach - NO JAVASCRIPT? GO AWAY!
>>
>>It took us nearly 7 years before we began to require Javascript for
>>our web server client templates. Our templates were WEB 1.0 mostly
>>because early browser didn't support JS and because of security, many
>>users turned it off. So WEB 1.0 was necessary.
>>
>>But as the industry grew, WEB 2.0 was the next stage. We began to add
>>more of it to our templates. Not 100% but as options to operators to
>>use special HTML clients, i.e. HTTP AUTHentication (BASIC/DIGEST) vs
>>Form-based COOKIE login.
>>
>>A few years ago, we added jQuery support, which MS now directly
>>supports as part of ASP. jQuery is distributed with our software and
>>we use it popup Message Previews. Our Chuck E Cheese customer who use
>>our web server for store support who still have low bandwidth told us
>>the popup message previews help speed things up.
>>
>>But now WEB 3.0 is upon is, and his a recycle of the client/server
>>framework where more of the client-ware is off-loaded. Flash,
>>SilverLight, Flex, etc, and now HTML5.
>>
>>Joe, the problem isn't really Javascript, the problem is well, good
>>engineering with the browser and an growing attitude that clients
>>should be doing more work and have access to the user's PC. So
>>original the client was sandboxed and the scripting did not an API to
>>access PC data. That's changing and there is no stopping this
>>unfortunately.
>>
>>--
>>HLS
>>
>>Joseph M. Newcomer wrote:
>>
>>> This is because Microsoft makes a lot of noise about being concerned
>>> about "computer
>>> security" but essentially believe that if YOU care about it, well, screw
>>> you, JavaVIrus
>>> is essential for making Web sites *cool*, and nobody should make their
>>> machines secure by
>>> disabling this primary malware vector (I recently attended a conference
>>> on computer
>>> security, and what I learned about JavaVirus makes my most rabid rants
>>> about it look
>>> understated compared to the deadly reality! Sort of like my saying
>>> "death can be a
>>> seirous invonvenience in your life" or "end-stage rabies is really
>>> uncomfortable")
>>> joe
>>>
>>>
>>> On Sat, 13 Mar 2010 14:00:05 -0500, Hector Santos
>>> <sant9442(a)nospam.gmail.com> wrote:
>>>
>>>> Giovanni Dicanio wrote:
>>>>
>>>>> Seems like there is a new MSDN VC++ Forum dedicated to MFC and ATL
>>>>> now:
>>>>>
>>>>> http://social.msdn.microsoft.com/Forums/en-US/vcmfcatl/threads
>>>>>
>>>>> Giovanni
>>>> It breaks down if javascript is disabled. :)
>>> Joseph M. Newcomer [MVP]
>>> email: newcomer(a)flounder.com
>>> Web: http://www.flounder.com
>>> MVP Tips: http://www.flounder.com/mvp_tips.htm
> Joseph M. Newcomer [MVP]
> email: newcomer(a)flounder.com
> Web: http://www.flounder.com
> MVP Tips: http://www.flounder.com/mvp_tips.htm

From: Hector Santos on
Tom Serface wrote:

> I still don't see how using JavaScript could be a security issue? You
> can't run programs in the client space or access the users devices.


1) The last IE exploit - the "China One" was a exploit in the IE
JS DOM!

2) The direction of the browsers is to add more special client-side
plugins accessible via JS. Mozilla is very active with this.
Chrome already has hooks with its V8 and Gears.

--
HLS
From: Joseph M. Newcomer on
Sure you can! In fact, JavaVirus can invoke an ActiveVirus control. And it can do
anything. Go browse a security site, like McAfee or Norton AV. Search for "JavaScript"
and read about the deadly exploits they tell you they can find.
joe


On Tue, 16 Mar 2010 18:44:33 -0500, "Tom Serface" <tom(a)camaswood.com> wrote:

>I still don't see how using JavaScript could be a security issue? You can't
>run programs in the client space or access the users devices.
>
>Tom
>
>"Joseph M. Newcomer" <newcomer(a)flounder.com> wrote in message
>news:29ftp5d0jbgjm1qoapshs19eg4ltd6nc2e(a)4ax.com...
>> See below...
>> On Sat, 13 Mar 2010 23:37:23 -0500, Hector Santos
>> <sant9442(a)nospam.gmail.com> wrote:
>>
>>>Its really quite fasinating how the mindset has evolved regarding
>>>zero-day discoveries:
>>>
>>> - OLD RULE: Turn off javascript
>>> - NEW RULE: Read tons of documents
>>>
>>>The point, watch how they now handle IE exploits found. No longer
>>>will you see anything in their notes that says:
>>>
>>> Turn off ActiveX
>>> Turn off Javascript
>>>
>>>and at best I can tell, the reason is because turning it off BREAKS
>>>all kinds of other stuff, including 3rd party or their own.
>>>
>>>I was amaze at the China/Google zero-day IE security bug where in NO
>>>WHERE in the Microsoft security announcements did it says "Turn off
>>>Javascript" and now the Chinese will not be able to exploit you.
>>>
>>>Look, no browser vendors what you to turn off javascript. In fact,
>>>GOOGLE CHROME was the first browser not to offer the user the option
>>>to even turn it off. This is the beginning for others to follow.
>> ****
>> This is simply not true, I was turning JavaVirus and ActiveVirus off years
>> ago in IE.
>>
>> I was taken out by some scripting eploits years ago, and it is NEVER going
>> to happen
>> again!
>>
>> To add insult to injury, IE has this incrdibly STUPID idea of categorizing
>> sites as
>> "Internet", "Trusted", etc., instead of letting me customize the actions
>> to an individual
>> site and ONLY to that site! So I can't say "I trust site X". Also, if
>> you use IE8
>> "secure mode" most sites break. There is no provision for my requesting
>> that a particular
>> Web site (for me, that would be 99.999% of all Web sites) be denied access
>> to my machine
>> state (files, Registry, etc.) since most JavaVirus code really is only
>> dealing with screen
>> interaction (or so it would like me to believe) and the JavaVirus
>> interpreter is
>> essentially design to be unsafe.
>>
>> So when Microsoft says they "care about security" I believe they are
>> lying. They not only
>> don't care, they are actively HOSTILE to anyone who wants a secure site!
>> joe
>> ****
>>>
>>>Now web sites are taking the approach - NO JAVASCRIPT? GO AWAY!
>>>
>>>It took us nearly 7 years before we began to require Javascript for
>>>our web server client templates. Our templates were WEB 1.0 mostly
>>>because early browser didn't support JS and because of security, many
>>>users turned it off. So WEB 1.0 was necessary.
>>>
>>>But as the industry grew, WEB 2.0 was the next stage. We began to add
>>>more of it to our templates. Not 100% but as options to operators to
>>>use special HTML clients, i.e. HTTP AUTHentication (BASIC/DIGEST) vs
>>>Form-based COOKIE login.
>>>
>>>A few years ago, we added jQuery support, which MS now directly
>>>supports as part of ASP. jQuery is distributed with our software and
>>>we use it popup Message Previews. Our Chuck E Cheese customer who use
>>>our web server for store support who still have low bandwidth told us
>>>the popup message previews help speed things up.
>>>
>>>But now WEB 3.0 is upon is, and his a recycle of the client/server
>>>framework where more of the client-ware is off-loaded. Flash,
>>>SilverLight, Flex, etc, and now HTML5.
>>>
>>>Joe, the problem isn't really Javascript, the problem is well, good
>>>engineering with the browser and an growing attitude that clients
>>>should be doing more work and have access to the user's PC. So
>>>original the client was sandboxed and the scripting did not an API to
>>>access PC data. That's changing and there is no stopping this
>>>unfortunately.
>>>
>>>--
>>>HLS
>>>
>>>Joseph M. Newcomer wrote:
>>>
>>>> This is because Microsoft makes a lot of noise about being concerned
>>>> about "computer
>>>> security" but essentially believe that if YOU care about it, well, screw
>>>> you, JavaVIrus
>>>> is essential for making Web sites *cool*, and nobody should make their
>>>> machines secure by
>>>> disabling this primary malware vector (I recently attended a conference
>>>> on computer
>>>> security, and what I learned about JavaVirus makes my most rabid rants
>>>> about it look
>>>> understated compared to the deadly reality! Sort of like my saying
>>>> "death can be a
>>>> seirous invonvenience in your life" or "end-stage rabies is really
>>>> uncomfortable")
>>>> joe
>>>>
>>>>
>>>> On Sat, 13 Mar 2010 14:00:05 -0500, Hector Santos
>>>> <sant9442(a)nospam.gmail.com> wrote:
>>>>
>>>>> Giovanni Dicanio wrote:
>>>>>
>>>>>> Seems like there is a new MSDN VC++ Forum dedicated to MFC and ATL
>>>>>> now:
>>>>>>
>>>>>> http://social.msdn.microsoft.com/Forums/en-US/vcmfcatl/threads
>>>>>>
>>>>>> Giovanni
>>>>> It breaks down if javascript is disabled. :)
>>>> Joseph M. Newcomer [MVP]
>>>> email: newcomer(a)flounder.com
>>>> Web: http://www.flounder.com
>>>> MVP Tips: http://www.flounder.com/mvp_tips.htm
>> Joseph M. Newcomer [MVP]
>> email: newcomer(a)flounder.com
>> Web: http://www.flounder.com
>> MVP Tips: http://www.flounder.com/mvp_tips.htm
Joseph M. Newcomer [MVP]
email: newcomer(a)flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
From: Joseph M. Newcomer on
Which merely proves that there are a number of sociopaths out there who think that the
coolness of their site is more important than the scurity of my site, an arrogance I find
untenable.
joe

On Tue, 16 Mar 2010 18:42:55 -0500, "Tom Serface" <tom(a)camaswood.com> wrote:

>ActiveX is essentially client-side application code. It's way different
>than JavaScript. I'm not sure there are many sites you can use without
>JavaScript these days. Most of them use some sort of ASP, JSP, PHP, or some
>other "P" to generate HTML and that almost always translates into
>JavaScript.
>
>Tom
>
>"Hector Santos" <sant9442(a)nospam.gmail.com> wrote in message
>news:OR9sJAzwKHA.1984(a)TK2MSFTNGP05.phx.gbl...
>> Its really quite fasinating how the mindset has evolved regarding zero-day
>> discoveries:
>>
>> - OLD RULE: Turn off javascript
>> - NEW RULE: Read tons of documents
>>
>> The point, watch how they now handle IE exploits found. No longer will
>> you see anything in their notes that says:
>>
>> Turn off ActiveX
>> Turn off Javascript
>>
>> and at best I can tell, the reason is because turning it off BREAKS all
>> kinds of other stuff, including 3rd party or their own.
>>
>> I was amaze at the China/Google zero-day IE security bug where in NO WHERE
>> in the Microsoft security announcements did it says "Turn off Javascript"
>> and now the Chinese will not be able to exploit you.
>>
>> Look, no browser vendors what you to turn off javascript. In fact, GOOGLE
>> CHROME was the first browser not to offer the user the option to even turn
>> it off. This is the beginning for others to follow.
>>
>> Now web sites are taking the approach - NO JAVASCRIPT? GO AWAY!
>>
>> It took us nearly 7 years before we began to require Javascript for our
>> web server client templates. Our templates were WEB 1.0 mostly because
>> early browser didn't support JS and because of security, many users turned
>> it off. So WEB 1.0 was necessary.
>>
>> But as the industry grew, WEB 2.0 was the next stage. We began to add more
>> of it to our templates. Not 100% but as options to operators to use
>> special HTML clients, i.e. HTTP AUTHentication (BASIC/DIGEST) vs
>> Form-based COOKIE login.
>>
>> A few years ago, we added jQuery support, which MS now directly supports
>> as part of ASP. jQuery is distributed with our software and we use it
>> popup Message Previews. Our Chuck E Cheese customer who use our web
>> server for store support who still have low bandwidth told us the popup
>> message previews help speed things up.
>>
>> But now WEB 3.0 is upon is, and his a recycle of the client/server
>> framework where more of the client-ware is off-loaded. Flash,
>> SilverLight, Flex, etc, and now HTML5.
>>
>> Joe, the problem isn't really Javascript, the problem is well, good
>> engineering with the browser and an growing attitude that clients should
>> be doing more work and have access to the user's PC. So original the
>> client was sandboxed and the scripting did not an API to access PC data.
>> That's changing and there is no stopping this unfortunately.
>>
>> --
>> HLS
>>
>> Joseph M. Newcomer wrote:
>>
>>> This is because Microsoft makes a lot of noise about being concerned
>>> about "computer
>>> security" but essentially believe that if YOU care about it, well, screw
>>> you, JavaVIrus
>>> is essential for making Web sites *cool*, and nobody should make their
>>> machines secure by
>>> disabling this primary malware vector (I recently attended a conference
>>> on computer
>>> security, and what I learned about JavaVirus makes my most rabid rants
>>> about it look
>>> understated compared to the deadly reality! Sort of like my saying
>>> "death can be a
>>> seirous invonvenience in your life" or "end-stage rabies is really
>>> uncomfortable")
>>> joe
>>>
>>>
>>> On Sat, 13 Mar 2010 14:00:05 -0500, Hector Santos
>>> <sant9442(a)nospam.gmail.com> wrote:
>>>
>>>> Giovanni Dicanio wrote:
>>>>
>>>>> Seems like there is a new MSDN VC++ Forum dedicated to MFC and ATL now:
>>>>>
>>>>> http://social.msdn.microsoft.com/Forums/en-US/vcmfcatl/threads
>>>>>
>>>>> Giovanni
>>>> It breaks down if javascript is disabled. :)
>>> Joseph M. Newcomer [MVP]
>>> email: newcomer(a)flounder.com
>>> Web: http://www.flounder.com
>>> MVP Tips: http://www.flounder.com/mvp_tips.htm
>>
>>
>>
>> --
>> HLS
Joseph M. Newcomer [MVP]
email: newcomer(a)flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
From: Joseph M. Newcomer on
Duh. There's even a JavaScript exploit that inserts itself into evey .htm, .html, and
similar page it can find on your Web site, so if it is in someone's pages, it will place
itself in all of yours! This is old, old hackery, dates back more than a decade.
JavaScript does NOT offer any protection against such exploits. And it can invoke
programs and feed them text sequences that exploit buffer overruns and other holes in
those apps. This has been known for many years. In fact, there is a long list of ActiveX
controls which JavaVirus scripts can exploit, and they are written by Microsoft, Kodak,
Adobe, and othe rmajor vendors.

Note that my safety is based no just on your Web site, but every site you may have
communicated with. Or on any site that *anyone* on your site who had write rights to your
Web pages may have communicated with!
joe

On Tue, 16 Mar 2010 18:41:02 -0500, "Tom Serface" <tom(a)camaswood.com> wrote:

>How can viruses be transferred using JavaScript? Unless users download a
>client there is very little access to the client's machine. Java applets
>are a different animal of course and I wouldn't use them at all.
>
>Tom
>
>"Joseph M. Newcomer" <newcomer(a)flounder.com> wrote in message
>news:52mop5tsniijglmogablk804bsldj6qg2q(a)4ax.com...
>> This is because Microsoft makes a lot of noise about being concerned about
>> "computer
>> security" but essentially believe that if YOU care about it, well, screw
>> you, JavaVIrus
>> is essential for making Web sites *cool*, and nobody should make their
>> machines secure by
>> disabling this primary malware vector (I recently attended a conference on
>> computer
>> security, and what I learned about JavaVirus makes my most rabid rants
>> about it look
>> understated compared to the deadly reality! Sort of like my saying "death
>> can be a
>> seirous invonvenience in your life" or "end-stage rabies is really
>> uncomfortable")
>> joe
>>
>>
>> On Sat, 13 Mar 2010 14:00:05 -0500, Hector Santos
>> <sant9442(a)nospam.gmail.com> wrote:
>>
>>>Giovanni Dicanio wrote:
>>>
>>>> Seems like there is a new MSDN VC++ Forum dedicated to MFC and ATL now:
>>>>
>>>> http://social.msdn.microsoft.com/Forums/en-US/vcmfcatl/threads
>>>>
>>>> Giovanni
>>>
>>>It breaks down if javascript is disabled. :)
>> Joseph M. Newcomer [MVP]
>> email: newcomer(a)flounder.com
>> Web: http://www.flounder.com
>> MVP Tips: http://www.flounder.com/mvp_tips.htm
Joseph M. Newcomer [MVP]
email: newcomer(a)flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm