http://www.newscientisttech.com/article/dn9645-browserbased-network-attack-d iscovered.html
A method of breaking into a computer network by posting malicious code on a web browser has been discovered. When a person browses the web, their computer is normally protected from attack by a firewall that filters out suspect messages. But researchers at SPI Dynamics, based in Georgia, US, have found that certain JavaScript code embedded in web page can be used to bypass the firewall. JavaScript is a simple browser-based programming language that is widely used to make web pages interactive. When a user visits such a page, the code is able to automatically probe the local network to which the user's machine is connected. Once this has identified the computers and other devices on the network, the same method could be used to send commands to crash or control them. The malicious JavaScript could even in theory be embedded in a third party web site, for example in a message board posting. This technique, known as cross-site scripting, can catch out users visiting trusted web sites. It had been treated as a low-level threat until now. Proof-of-concept "This potentially devastating JavaScript attack, along with the growing exploitation of cross-site scripting, demonstrates that these vulnerabilities should no longer be last in line to be addressed," says Billy Hoffman, lead research engineer at SPI Dynamics. The company's researchers have produced a web page that provides a "proof-of-concept" demonstration of the technique. This page can be used to scan a local network for web servers running on connected machines. The site lets visitors see the network addresses of computers running web servers but does not try to perform any malicious tasks. Fyodor Vaskovich, a respected security expert and creator of the network mapping tool NMAP, says the technique poses a dilemma for web developers. This is because blocking the relevant JavaScript functionality at the browser level would also disable many normal websites. "A key advantage of the SPI Dynamics vulnerability is that it is difficult to fix without breaking many web applications," Vaskovich told CNET. "So it may be around for years to come." Gregory S. Williams [EMAIL PROTECTED] Reply with a "Thank you" if you liked this post. _____________________________ MEDIANEWS mailing list [email protected] To unsubscribe send an email to: [EMAIL PROTECTED]
