March 16th, 2007

ronin

JavaScript is hidden everywhere.


If you supposed it stops in your browser seeing javascript in HTML pages themselves, think again:

Quicktime - Apple software designers/coders must have thought it a cool idea to allow javascript inside a quicktime movie. Yep a movie isn't just some moving images, but it can be just as well contain (malicious) code that will be executed by the movie viewer that gets embedded in the pages you show. Didier Stevens has a blog entry about it, explaining it in detail. ( http://didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/ )

PDF - Unfortunately PDF files also can contain embedded javascript, and have had their share of problems with it as well. ( http://mackys.livejournal.com/404531.html )

MP3 - Contains just music, right? Well many will be copyright lawsuits waiting to happen if you let the music industry, but yep they too can contain scripting. Granted you might need quicktime installed to get to it, but most iPod owners will have iTunes and that comes with Quicktime bundled into it...

Unfortunately there are many more formats that allow remote code execution by allowing scripting or extensive macro languages.


http://isc.sans.org/diary.html?storyid=2457


We do not learn. Remember Word macro viruses? JavaScript is Word Macro Viruses, reloaded. And now people who think they are "smart" are embedding JavaScript in everything. For reasons that I can't even fathom. (Why does my video clip need an embedded scripting language??)

The web's addiction to JavaScript is a mistake. JavaScript is insecure and it's used at least as much by the bad guys as the good guys. And, as always, I have yet to see JavaScript do anything that couldn't be done better by a CGI script or an applet.

Maybe if the people in charge of the ECMAScript standards wake up, we'll begin to see some kind of secure version of JScript. But don't hold your breath. Nobody wants to kill this golden goose - even if its fleas are giving us bubonic plague. It's possible that someday we'll have a secure web scripting language. But today is not that day, and JavaScript is not that scripting language.


I'll say it again: Get and use NoScript. There's no reason what so ever that you should be allowing any random website to run JavaScript on your machine.