Just read this a couple of days ago and I am wondering how this sort of attack would, could or will affect GNU/Linux users.

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

The full article is here (http://news.com.com/JavaScript+opens+doors+to+browser-based+attacks/2100-7349_3-6099891.html?part=rss&tag=6099891&subj=news).

That's nice to know, and it's nice of them to publish an outline of the techniques they developed! :smiley5:

That is one of the reasons we decided to go with vBulletin software. It is more secure than the previous forum system.

As far as the server is concerned, it is professionally maintained by HostGator and The Planet server farm. I have had very good service from them for over two years. I can count the number of planned outages on one hand and even fewer unplanned outages. All but one has been for less than a half hour. I use SiteUptime to notify me of any server down time.

HG / The Planet are very good at keep the security patches up to date.

I will start monitoring the HG and vBulletin forums for this new AJAX security weakness.

Thanks for the heads up,

fos....

What bothers me is, assuming I understood the article correctly, that this new weakness basically bypasses any and all security processes that users (like me) may have.

Firewalls, NAT's, routers, DMZ's all mean nothing if this article is correct.

Most browsers enable Javascript by default. Further, as is the case with Firefox and Opera, browsers ask the user if the browsers is to save a password. Additionally Javascript is used all over the web for a variety of purposes. Therefore disabling javascript does not really correct the problem. Though it is one way to keep from getting nailed.

Now while this new threat may not be able to access the root account, it can sniff out passwords, account numbers, etc. This could become a real problem for users that do online banking, stock buy and sell and other financial transactions.

I do not allow Firefox to save any password and I do not do any sort of online banking. But the issue here is where do browsers store such information? How can a user wipe sensitive information if they do not have a clue where the data is stored or for how long.

As a result of this new vulnerability, the vBulletin product manager has suggested that all web based applications (including vBulletin) should disable pdf attachments. For that reason, pdf attachments are temporarily disabled here on linuxagora.com.

I hope this doesn't cause anyone problems.

fos....

I just uploaded a patch provided by vBulletin to fix the pdf problem. pdf, re-enabled.

fos....

Just read this a couple of days ago and I am wondering how this sort of attack would, could or will affect GNU/Linux users.



The full article is here (http://news.com.com/JavaScript+opens+doors+to+browser-based+attacks/2100-7349_3-6099891.html?part=rss&tag=6099891&subj=news).

This is really notting new. I think it's about a year since I found this site http://www.auditmypc.com/whats-my-ip.asp

It show both your external IP and your internal, private IP even if you're behind a router/ firewall.

I think problems like this will continue. The demand for more and more interaction with websites has taken the net and html protocol to a level it was never designed for. Remember it's originally designed just for sowing documents. But now it also has to display images, run scritps, spawn various processes etc. When opening a page with java, java-script, php and what not you are basically downloading and running 'programs' locally. That demands a whole different way of thinking than just show a html document. So todays browser is not just a html viewer but also a mediaplayer for a huge amount of media formats, a runtime environment for various 'programs', an image viewer, a text editor, a mail reader, a file manager... and all of this with a minimum of user interaction. And new features are dreamt up almost daily so the developers of browsers is forced to concentrate on adding new features rather than make the exisisting features secure. And the number of bugs increases at an alarming rate. Just check out this blog from the guys behind the Metasploit project: http://browserfun.blogspot.com/

Basically the user has the choice of running a secure system with all features turned off, which basically renders the system unusable, or accept the risk and trust his/ hers common sense. The problem with the latter though is that it also takes quite a deal of knowledge, something the common PC user don't have nor want.

Tina

It show both your external IP and your internal, private IP even if you're behind a router/ firewall.


Only my external IP. Which is fairly logical, because the machine has to be able to talk to my machine (through NAT).

When opening a page with java, java-script, php and what not you are basically downloading and running 'programs' locally.

PHP does not run locally. Javascript does, Java may. There are also many sites that use Java at the server side, but the client only receives HTML.

And new features are dreamt up almost daily so the developers of browsers is forced to concentrate on adding new features rather than make the exisisting features secure.

In my opinion most browser vendors are fairly conservative. Look how long it took before they started integrating decent SVG support. And such uses where invisioned by the Web's creators. It even took much longer than 'planned', e.g. efforts like VRML stalled. Halfway the '90ies people envisioned that stuff like VRML would be commonplace these days. It still requires all kinds of plugins, and the best plugins are only available for one or two platforms.

I think the primary problem in the future (and even at this moment) are not browser bugs, but buggy and insecure server-side code that allow for cross site scripting attacks, SQL injections, and other kinds of havoc.

And the number of bugs increases at an alarming rate. Just check out this blog from the guys behind the Metasploit project: http://browserfun.blogspot.com/

I think the rate is fairly low, considering that browsers are in the spotlight right now. Many eyes make bugs shallow, so many bugs are being fixed. And in the opensource world projects release advisories for every security bug, even very minor bugs.

The browser problems will probably quiet down. Static code analysis and the opensource "many eyes make bugs shallow" will stabilize code bases a lot (like it happened with many other projects). The problem will be the kids that write the credit card processing scripts for a small bussiness, and will screw that up. There is much more to gain from misusing bad security of some store site than trying to exploit browser bugs.

Only my external IP. Which is fairly logical, because the machine has to be able to talk to my machine (through NAT).

This is what it shows for me: " Notice! Your Private IP is 192.168.1.168 and unlike your
external IP of 80.213.82.83, this should be hidden! " and is indeed correct.

PHP does not run locally. Javascript does, Java may. There are also many sites that use Java at the server side, but the client only receives HTML.
Of course... my bad.


I think the primary problem in the future (and even at this moment) are not browser bugs, but buggy and insecure server-side code that allow for cross site scripting attacks, SQL injections, and other kinds of havoc.
That depends on your personal position. To me personally it would be a huge pain in the neck if one of my PCs got compromized since it would mean a whole lot of work, possibly loss of important data and generally cause a mess.

If one of my websites got attacked I would just ask my web host to reinstall yesterdays backup, analyze the log and tell me what happened. If it cause dataloss I would also have to email my members and ask them to resubmit if they had contributed after the last backup was made, and have the developers of my CMS come up with a fix. Not a great deal of work on my behalf...

I think the rate is fairly low, considering that browsers are in the spotlight right now. Many eyes make bugs shallow, so many bugs are being fixed. And in the opensource world projects release advisories for every security bug, even very minor bugs.
"Many eyes make bugs shallow" is true to some extent I guess but only of the number of bugs is manageable and users indeed report correctly.
After the last upgrade I did I wanted to report a problem with Firefox but I changed my mind when 'reportbug' reported a whooping 700+ outstanding bugs. Just reading through it to see if my problem was already there would have taken hours. I don't know how big the FF team is but sorting through, prioritize and verify that amount of bugs is a daunting task even if you could trust the users to correctly classify every single bug... which of course you can not.

Another problem as the userbase grows is that people don't patch! The computer iliterates greatly outnumbe us geeks and most of them is blissfully unaware of the need to keep an up to date system or indeed *how* to keep a system up to date. So a fixed bug is not the same as a non extistent bug.

The only way to really improve on the number of potentially dangerous bugs is to release software with fewer bugs. That is, having the developers write better code. Which of course means longer development time, which means longer release cycle etc etc.

Sadly people demand the latest and greatest no matter how bug ridden the software is. I've seen not long ago someone complaining about Debian not having KDE 3.5.4 about one week *before* it was actually released. Aparantly the distro he was using already used a beta of it.

Beta software used to be a test version. Something you used in order to help the developers. But it's not so anymore... Beta is the norm for many people. All they care about is having the latest software. And if you don't hurry releasing a beta you can forget about ever gaining any momentum.

People braking into various networks like banks, military etc etc is not a really big problem... never was and never will be. It's just more spectacular than having made a tousand zomibies that sends spam for you.

It's like deseases. We hear about the terrible things like aids, birdflu and TB, but still the desease that causes the most problems in terms of sickdays, financial loss and early death is the common cold.

Tina

Wrt. website vurnerabilities: I wasn't referring to personal websites, but websites that handle transactions or personal data. No hoster can do something about that, it is not about compromising the web hosting account, but comprimising the database or transactions of such website. And nothing can protect you from such bugs, no browser upgrades, and nobody can check the code (except for the writers), because it is server side code.

Wrt. defect rates: there is some hope: http://www.eecs.harvard.edu/~stuart/papers/usenix06.pdf (yeah, ok, we are talking about OpenBSD here ;))

I should add that "open bugs" does not say too much. Many of them may have been fixed long ago, or are bogus. I know projects with a very good security reputation, that have many open bugs. E.g. the NetBSD bug database has 4000 open bugs. But it is a very secure system, and most security bugs get handled very fast. It is just impossible to check out every minor bug report, quite often because the original submitter does not answer to requests for more information.

And if you do not want the latest and greatest, there's always *BSD, RHEL, Debian Stable, etc.

Wrt. website vurnerabilities: I wasn't referring to personal websites, but websites that handle transactions or personal data. No hoster can do something about that, it is not about compromising the web hosting account, but comprimising the database or transactions of such website. And nothing can protect you from such bugs, no browser upgrades, and nobody can check the code (except for the writers), because it is server side code.

I understand what you mean. I just argue that in reality it's not an overall big problem. Bank fraud due to pure computer 'hacking' is miniscule compared to creditcard theft, skimming, plain stupidity or mistakes by either bank emplyees or the customer. The same goes for so called identity theft or credit card fraud.

Imagine that you run a company with say a tousand employees. Your company's product is mainly a web based service and most of your employees are sales people. Now concider these two scenarios:
Your webserver gets compromized in some way causing dataloss or data theft. Maybe your user data is 'stolen'. It's a nuisance of course and your IT department spend a few hours reconstructing data, generate new passwords or what ever.
The software that your salespeople use, could easily be a web browser used to enter data into your internet/ intranet solution, has a nasty bug causing it to continuesly crash. Every crash causes their computer to lock up so they has to reboot, log in again etc. A procedure taking say five minutes give or take. So if each computer crash ten times a day for your nine hundred sales people that is a huge amount of lost time. 900 * 50 minutes a day! That 750 hours. If each sales rep makes one sale / hour that is 750 lost sales each day.Guess which one would cost you the most money?

Most of the time, whatever happens to a web based service it's fairly easy to correct and rarely affect the users/ customers at all.

I've worked in the security business (CCTV, access controll and alarm systems) for almost twenty years, a few of them as a system designer. The main problem all these years were stupid users. I can count on one hand the number of times our systems was actually breached by clever 'hacking', but the number of times the breach was caused by people wedging doors open, not report broken cameras, unplugged equipent, unreported defective equipnet... you have no idea.

We *did* have bugs in our software of course but compared to the time we spent educating and reeducating our customers it was hardly noticeable.

I should add that "open bugs" does not say too much. Many of them may have been fixed long ago, or are bogus.

Very true but a huge amount of open bugs decreases the acuracy of bug reporting. Because either you don't bother to report anything, or you submit a duplicate which *could* shed new light on an already existing bug etc. One thing os for sure... no one bother to read through 700 reports to determine if 'your' bug is already reported.

Tina

This is really notting new. I think it's about a year since I found this site http://www.auditmypc.com/whats-my-ip.asp

It show both your external IP and your internal, private IP even if you're behind a router/ firewall.
Hi Tina,

I just tried that url and it shows only my external IP. My home network is behind a NAT, and as such, it does not show the internal IP's.

Yes, it can be avoided if you know what your doing (or you actually care). But to fix it you have to be aware of it. The first time i went to that site I was really surpriced because I thought my router/ firewall would make it impossible. And that's the nature of all exploits really... they target people who don't know about weakness, don't know how to fix or indeed don't care. And that kind of computer users are the most common.

Tina

... they target people who don't know about weakness, don't know how to fix or indeed don't care. And that kind of computer users are the most common.

You'll get no argument from me.

I tend to view this whole thing along the lines (to use an analogy) of a car. Yes a great many people are good drivers but how many can repair their vehicle? Very few. People put the key in and turn it on. If the car doesn't start -- it's broke and off to the get well quick shop it goes. Vehicles are tools, no more no less.

The same holds true with computers. It either works or it doesn't. People don't see the computer spewing out malware, viruses, worms etc. It either works or it doesn't.

The key issue is how do we, if we even can, overcome this? And on that score I, for one, have no idea.