Javascript Attacks on Steroids. LAS VEGAS -- Just sat through a rather disturbing presentation here at Black Hat on how bad guys can use Javascript to circumvent hardware and software firewalls and wreak havoc on a target's internal network.
Jeremiah Grossman and T.C. Niedzialkowski, both of Santa Clara, Calif.-based WhiteHat Security, showed Javascript tricks that could allow attackers to monitor which sites users have visited, change the configuration of their firewalls, and even record victims' keyboard strokes.
Javascript is a powerful programming language that works seamlessly across multiple Web browsers and operating systems, but online criminals can tap into that power to effectively force browsers that visit malicious sites to do their bidding.
Using a Web server he and Niedzialkowski had seeded with invisible code, Grossman demonstrated how he could view which sites a test browser had recently visited. The code also divulged the user's internal network address -- information that is supposed to be hidden by the firewall. Later in the demo, he showed a Javascript attack that altered the test victim's firewall settings to allow attackers to punch through directly into the internal network.
Javascript attacks have become more prevalent over the past year. Many sites that cater to people searching for "cracks" -- copy-protection hacks that make it easier to use pirated software -- routinely use scripts to silently install malware.
Grossman said an attacker who managed to compromise a large number of computers using Javascript would have no trouble forcing those victims to unknowingly participate in all kinds of illegal activities, from click fraud to downloading illegal content, or using the combined power of the affected machines to conduct denial-of-service attacks capable of knocking a targeted Web site offline.
There are free tools available to help users block certain types of Javascript attacks. The NoScript extension for Firefox blocks all scripts by default, allowing the user to turn Javascript back on if they visit a trusted site and want to view content that requires it. But NoScript also remembers which sites the user has selected, and Javascript attacks are increasingly showing up on social-networking sites like Myspace.com and other places that many users implicitly trust.
Another tool I use on most of my machines is the Netcraft Toolbar, which does a pretty decent job of warning you before the browser loads sites that attempt to use known javascript attack code.
But Grossman cautioned that these tools are not a comprehensive antiscript shield. "These are all designed to spot the bad sites, not necessarily good sites doing bad things," he said. [Security Fix]
5:29:09 PM  PermaLink /
|
