JavaScript bug could be worse

A security hole that can be exploited with JavaScript to glean information from Web forms apparently is harder to fix than first expected.

3 min read
A security hole that can be exploited with JavaScript to glean information from Web forms apparently is harder to fix than first expected.

Netscape Communications thought it had plugged the hole, first reported by Bell Labs, in releasing a new version of Navigator 3.02, but a similar bug based on the same design flaw continues to affect the updated software.

Netscape representatives today acknowledged that the latest variation of the bug, which produces the same results as the Bell Labs bug, still affects the updated 3.02 software.

The security flaw allows a Web site operator to use JavaScript to launch a "Trojan horse" program within an unsuspecting user's browser. This rogue program, which can run undetected, then reads any data the user enters into a form: URLs, search queries, or credit card numbers, for example. Browsers equipped with encryption are still vulnerable because the rogue program reads the data before it is encrypted and transmitted.

"The deficiency is that the JavaScript security model isn't quite complete," said Vinod Anupam, the Bell Labs researcher who discovered the flaw in late June and reported it to the Computer Emergency Response Team (CERT), Microsoft, and Netscape, in an interview today. "It's a design flaw and there are many ways to exploit it. We recommended to Netscape that they reevaluate their security model."

The variation is demonstrated on Dan Brumleve's "Tracker" Web site. Tracker affects the updated Navigator 3.02 for Windows, Mac, and Unix, but it does not appear to affect Communicator, according to Brumleve, Anupam, and Dave Rothschild, Netscape's director of marketing for client applications.

However, Communicator on all platforms is still vulnerable to the method of attack discovered by Anupam, and a new version will be posted next week, Rothschild said today.

The hole also affects Windows 95 and NT versions of Explorer. The company will issue a software patch next week to fix its existing browser and will include a fix in the next beta of Internet Explorer 4.0, due out later this month, according to product manager Kevin Unangst.

JavaScript is a cross-platform Internet scripting language invented by Netscape that the company has supported since the 2.0 version of its Navigator browser. Microsoft includes a JavaScript "clone" in the 3.0 version of Internet Explorer. Combined, there are tens of millions of JavaScript-capable browsers in use.

Bell Labs' Anupam stressed that it's too early to tell if the JavaScript flaw stems from the design of the language itself or the implementation of it within a browser. Despite the name, JavaScript is unrelated to Java and does not employ the "sandbox" security model that prevents applications from accessing data--maliciously or not--on a user's hard drive.

Netscape is examining the code that Brumleve wrote to exploit the flaw but hasn't announced any further fix.

Even if this bug is squashed, it raises a larger Internet security issue. "These smaller languages, like JavaScript or VBScript, can be just as powerful, and we need to make sure they're just as secure before we trust them implicitly," said Anupam.

Until the JavaScript problem is resolved, CERT recommended that users disable JavaScript support in their browsers. Netscape's Rothschild also recommended that users only visit trusted sites.