Hacking hazards come with Web scripting territory

If you've surfed the Web recently, you've almost certainly seen scripts at work performing some of the most common tasks of today's Web pages, from helping users search pages to scrolling text across the screen and launching new windows.

In the wake of a government advisory about a newly recognized Web scripting security threat, software providers fear scripting is getting a bum rap despite security protections built into the top scripting implementations.

Web scripting is the method most sites use to create moving parts. Scripting languages such as JavaScript--invented in 1995 by Brendan Eich at Netscape, now a division of America Online--bring to the Web the kind of features that at the dawn of the Web could be found only on the computer desktop, features that let users interact with sites without calling up a new page from the server.

The difference between scripting languages, which can be found on and off the Web, and computer programming languages like C++ or Fortran, is that scripting languages are interpreted, while programming languages are compiled. Compilers translate programming instructions written by humans into a language a microchip can understand.

With scripts, browsers essentially do that work on the fly.

Scripts are powerful enough, however, to do real damage when written maliciously. Both this week's government advisory and countless other exploits demonstrated by bug hunters on the Web have shown how hackers can take advantage of the flexibility and power of scripting to pry into Web surfers' private information, both in the browser and in other applications on the computer.

Chief among these bug hunters is the Bulgarian security consultant Georgi Guninski, who has numerous scripting exploits to his name for the major browsers provided by Microsoft and Netscape.

In a recent example, Guninski showed how Microsoft's Outlook Express mail reading application let a malicious user embed a script within a message to expose the mail of the targeted user while the initial message window remained open.

Guninski earned a steady income of $1,000 per bug from Netscape before the company brought him on board as a consultant last summer.

Security experts point out, however, that the government's advisory did not pinpoint any flaw on the scripting side of things, but rather with Web sites' implementation of forms that permitted the introduction of potentially malicious scripting tags.

Despite the frequency of scripting-related security problems, Microsoft stresses that the hazards come with the technology territory.

"There is always a balance between security and ease of use, and scripting is no exception," a Microsoft spokeswoman said. "It is up to each customer to decide what sites they want to allow to perform scripting and which they don't."

She noted that Internet Explorer's security zones let users classify sites according to whether they are known and trusted and therefore allowed to run scripts.

Netscape said that scripting is the safer of various alternatives because of its "sandbox" security model, which only allows the script to interact within certain boundaries on the site visitor's computer.

Michael La Guardia, group product manager for the Communicator browser, explained that JavaScript is only allowed to interact with the user through the Web interface.

"If you have native code talking directly to your computer, it could do anything," he said. "It could set up a listener and get sensitive information like passwords and credit card numbers or erase your hard drive. With JavaScript, the programmer is not allowed to execute native code."

He added: "If it were native code running all the time, we wouldn't have the Web as we have it today. It would be one giant gaping security hole."

For example, Microsoft's ActiveX technology has been criticized for running code on computers while relying on a "trust" security model, in which ActiveX controls can execute native code provided the user has decided they trust the control's source.

Even with sandbox protections, however, Netscape said users should exercise caution in choosing which sites to visit.

"The best thing people can do in the face of this is not to talk to strangers," La Guardia said. "Don't go into dark alleys. There are bad places out there--and bad people. Stay away from them."

In addition to JavaScript, other common scripting languages include AppleScript, CGI, HTMLScript, Perl and VBScript. JavaScript is standardized under the European Computer Manufacturer's Association (ECMA), an international standards body based in Switzerland.