AOL, Microsoft move to squash bugs

The handy and versatile JavaScript scripting language has been a virtual picnic for Web authors, but like any picnic, this one has attracted a lot of bugs.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
The handy and versatile JavaScript scripting language has been a virtual picnic for Web authors, offering them an array of dynamic functionalities to add to their Web sites. But like any picnic, this one has attracted a lot of bugs.

AOL's Netscape Communications division and Microsoft are moving to plug a half-dozen newly discovered security holes that concern their browsers' implementations of JavaScript, a computing language developed by Netscape for executing actions on a Web page automatically. Despite its name, JavaScript is unrelated to Sun Microsystems' cross-platform Java programming language.

The new collection of bugs was discovered by a Bulgarian security enthusiast who has made a side business--if not a small career--out of discovering ways that JavaScript can compromise a browser's security. Netscape, the object of most of Georgi Guninski's bug-hunting attention, pays a $1,000 bounty for each bug that's acknowledged.

Netscape and Microsoft confirmed the following bugs and said they would be patching the bugs in future releases. Netscape recommends disabling JavaScript pending a fix; Microsoft recommends either disabling JavaScript or avoiding bookmarking untrusted sites.

Readers are advised that Guninski's demonstrations run automatically when you visit his pages. Following are descriptions of the latest problems:

  • Bookmarks I
    To exploit this vulnerability, the Web site author designs a bookmark with JavaScript in the URL. When a surfer using Netscape Communicator or Microsoft Internet Explorer adds such a bookmark and later requests it to hop from a local file viewed through the Web browser, the script could get access to those local files. Guninski's demonstration can be found here.

  • Bookmarks II
    With this second bookmark bug in Communicator, the malicious Web author inserts the JavaScript code into the title tag of the page. This time, when the bookmarks file gets opened, the code runs with the lax security limitations of a local file. This can permit reading the bookmarks file, browsing local directories, and reading local files. Guninski's demonstration is here.

  • Document titles
    Like the second bookmarks file, this bug lets exploiters run JavaScript code from the Web page's title tag. When the user requests information about the document, the code runs. This bug could expose a person's cache and configuration information, as well as email. The vulnerability can be exploited through an HTML email message. Guninski's demonstration of this can be found here.

  • Viewing the source
    This bug is exploited through a script that calls up the underlying source of a Web page. The trouble is that Communicator also allows the script to call up local files along with it, exposing local directories, cache, HTML files, configuration, email addresses, mail servers, and passwords. The vulnerability can be exploited through an HTML email; a demonstration is here.

  • URL sniffing
    This bug in Communicator lets a Web site operator peek at the other Web sites a user is visiting in other open windows. The exploit works through the JavaScript console, a relatively new browser feature that consolidates JavaScript error messages in an off-screen window that users can pull up by typing "javascript:" into the address bar. The exploit works through the console because it has access to all open windows. Guninski's demonstration is here.

    Netscape sounded upbeat about its bug-fixing efforts, including the bounty program.

    "We take all vulnerabilities seriously," a Netscape spokesperson said. "We're working closely with Guninski to fix these, and it's going well. We think the bug bounty is working very well."