Another thing worth remembering is that just as Javascript itself differs
quit a bit from browser to browser, so do its security issues. A
feature (?) that makes it possible to write a port scanner in one
browser might not exist at all in another browser.
Traditionally Internet Explorer has been considered the worst offender
security-wise. In part this is because it lets you say "x = new
ActiveXObject(...)", which sometimes makes it possible for Javascript to
invoke components that were never intended to be used by a web browser.
(Remember last year's Month of Browser Bugs? Most of the IE bugs on that
list revolved around ActiveXObject.)
ActiveXObject, and its security implications, are completely absent in
Firefox. Not that Firefox has been free of Javascript security holes,
though...as it evolved from 2.0 to 2.0.0.15, many of the updates
included patches for Javascript security holes. Several of these involved
ways for Javascipt to elevate its permissions from content (highly
restricted) to chrome (unrestricted, with full access to your filesystem
and the network).
I'd be highly interested to learn how that port scanner worked. Did it
depend on one particular browser?
- Neil Parker
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
