• Home
• About Us
  • Company
  • Organization
  • Board of Directors
  • History
• Information security
  • PCI Audits
  • Technical Security Audits
  • Security Management Audits
  • Identity Management Consulting
  • Security Management Consulting
• Software Development
  • Operating Systems and Protocols
  • Rapid Software Development
  • Test Automation
  • Secure Software Development
• Network Integration
  • Infrastructure Development
  • Infrastructure Operations
• References
• News & Events
  • News
  • Events
  • Nixu Newsletter
• Jobs
• Contact Us

Old threat in a new form

Software vendors have released security updates as concerns over browser security have yet again been raised.

"Some of the reported problems are not new. Rather, further investigations have revealed that some problems previously considered as mere annoying flaws, are actually rather critical security threats" says Kim Johansson, Information Security Consultant from Nixu.

Many commercial websites rely on Javascript. As individuals surfing the net connect to such service, their browsers retrieve the scripts from the server and execute them on one's computer. As Javascripts are being run in isolated sandboxes, they have generally been considered safe.

During the summer of 2006, research team based in the United States have shown that Javascript can be used to attack end-users' computers, and grant an unauthorized access to the network the machine is connected to.

"The odds are that we will see the first criminal attacks exploiting this security flaw in the near future" predicts Johansson. "Attacks via web applications are difficult to block, as being cautious doesn't necessarily help: as long as you surf the net, you are in danger."

The threat cannot be avoided by visiting only known and trusted websites, as many of those services have cross site scripting problems that enable attacks from outside the trusted website.

Making matters more complicated, Javascript is a pivotal technology to web services: regardless of potential security flaws, the industry cannot afford to move away from it.

"It is going to take a while before all vendors have updated their products to address these threats. And it is going to take even longer before the new, secure browser versions are running on all computers around the world. Until that time, the least one can do is to limit the related attacks only to the computer that has retrieved the malicious Javascript and executed it."

To protect an organization from vulnerabilities such as this, extensive planning and thorough implementation of information security policies take the leading role.

"Limiting access to network interfaces is only the starting point: there are also other things to consider. To protect one's organization, it is important to make sure that all affected areas have been checked and addressed appropriately: Web Services, user rights, and workstation and application security. For example, ordinary user should have minimal user rights so that their applications run just barely. An application with administrator privileges can really cause havoc."