copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-97.081 -- CERT Advisory CA-97.20 -- JavaScript Vulnerability

Date: 09 July 1997

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution

                             
                     ESB-97.081 -- CERT Advisory CA-97.20
		          JavaScript Vulnerability
                                9 July 1997

===========================================================================

The CERT Coordination Center has released the following advisory concerning
a JavaScript vulnerability.  This vulnerability permits a remote attacker
to monitor a user's browser activity.

The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

Contact information for CERT/CC is included in the Security Bulletin
below.  If you have any questions or need further information, please
contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/information/advisories.html

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
	AUSCERT personnel answer during Queensland business hours
	which are GMT+10:00 (AEST).
	On call after hours for emergencies.


- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-97.20
Original issue date: July 8, 1997
Last revised: --

Topic: JavaScript Vulnerability
- - -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a vulnerability in
JavaScript that enables remote attackers to monitor a user's Web activities.
The vulnerability affects several Web browsers that support JavaScript.

The vulnerability can be exploited even if the browser is behind a firewall
and even when users browse "secure" HTTPS-based documents.

The CERT/CC team recommends installing a patch from your vendor or upgrading
to a version that is not vulnerable to this problem (see Section III. A).
Until you can do so, we recommend disabling JavaScript (see Section III.B).

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your site.

- - -----------------------------------------------------------------------------

I.   Description

     Several web browsers support the ability to download JavaScript programs
     with an HTML page and execute them within the browser. These programs
     are typically used to interact with the browser user and transmit
     information between the browser and the Web server that provided the
     page.

     JavaScript programs are executed within the security context of the page
     with which they were downloaded, and they have restricted access to other
     resources within the browser. Security flaws exist in certain Web
     browsers that permit JavaScript programs to monitor a user's browser
     activities beyond the security context of the page with which the
     program was downloaded. It may not be obvious to the browser user that
     such a program is running, and it may be difficult or impossible for the
     browser user to determine if the program is transmitting information
     back to its web server.

     The vulnerability can be exploited even if the Web browser is behind a
     firewall (if JavaScript is permitted through the firewall) and even when
     users browse "secure" HTTPS-based documents.

II.  Impact

     This vulnerability permits remote attackers to monitor a user's browser
     activity, including:

        * observing the URLs of visited documents,
        * observing data filled into HTML forms (including passwords), and
        * observing the values of cookies.


III. Solution

     The best solution is to obtain a patch from your vendor or upgrade to a
     version that is not vulnerable to this problem. If a patch or upgrade is
     not available, or you cannot install it right away, we recommend
     disabling JavaScript until the fix is installed.

     A. Obtain and install a patch for this problem.

        We are currently in communication with vendors about this problem.
        See Appendix A for the current information. We will update the
        appendix when we receive further information.

     B. Disable JavaScript.

        Until you are able to install the appropriate patch, we recommend
        disabling JavaScript in your browser. Note that JavaScript and Java
        are two different languages, and this particular problem is only with
        JavaScript. Enabling or disabling Java rather than JavaScript will
        have no affect on this problem.

        The way to disable JavaScript is specific to each browser. The
        option, if available at all, is typically found as one of the Options
        or Preferences settings.

........................................................................
Appendix A - Vendor Information 

Below is information we have received from vendors.  We will update this
appendix as we receive additional information. 

Microsoft
=========
   Microsoft will announce their patches for this problem at

	http://www.microsoft.com/ie/security/update.htm

- - -----------------------------------------------------------------------------
The CERT Coordination Center thanks Vinod Anupam of Bell Labs, Lucent
Technologies, for identifying and analyzing this problem, and vendors for
their support in responding to this problem.
- - -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- - ----------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

   To be added to our mailing list for advisories and bulletins, send
   email to
        cert-advisory-request@cert.org
   In the subject line, type
        SUBSCRIBE  your-email-address

- - ---------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.

Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
- - ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.20.javascript
           http://www.cert.org
               click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM8Khu3VP+x0t4w7BAQGTtwP9Gw00odgsPPBU3XCE3kbna8Gazeflr2dT
59zeFggSYRreXdd7PZkN32uJLCtPq/RrYLTY2quN7ItdQAMpC2iB4jUQMT655F8v
TPQiywLdeEsLkwb4Ax3dw7pwDPLntDzt73+xAxigDFJbJuQkKn2tJDMkaJ7B+y4X
ZiO9HRRkWXQ=
=yrbc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBM8Nh2Sh9+71yA2DNAQGOtwP+PTCJi78W/KYQ/JnuvAUP3r8dcADRFkw+
PAu6W8rR106JEIBRurYUGWts/SQt001kJpNQYhlaSommnskaYV8/aJTDiEa729Ti
7AiS5IPctdkn+eFcrVxpJlaBCtS8zFiG60BzvV/kX58JPQGrdbQleA+Tts+HjMN6
Ea9oyNk4nE4=
=ofOa
-----END PGP SIGNATURE-----