www.webdeveloper.com
Results 1 to 3 of 3

Thread: PC World: Malicious HTML in E-Mail Increases: Defense "Turn JavaScript Off" ???

  1. #1
    Join Date
    Feb 2010
    Posts
    4

    PC World: Malicious HTML in E-Mail Increases: Defense "Turn JavaScript Off" ???

    This article was just published on PCWorld.com at
    http://www.pcworld.com/article/20621...increases.html

    As I read it this is about a new twist to an old issue. (see excerpts below)

    The question are...

    1 - I thought JavaScript was in a "sandbox" and prevented inappropriate access to the local machine. Is this no longer true?

    2 - More to the point:
    Can or are any modifications to JavaScript be done by the JavaScript development team... who ever that is (Oracle?)... to fix what ever JavaScript vulnerabilities are being exploited?

    3 - Are there other defenses for the client machine other than those mentioned in the excerpt below? (Turn off JavaScript in their browsers, etc.)

    4 - If there is no vigorous response to this by the JavaScript development team how can we continue to create apps with JavaScript as such will encourage people to simply turn off java script in their browsers and that will encourage other web developers to simply not use JavaScript on their sites.

    5 - Is Oracle the "owner" or "keeper" of javascript? I looked on the Oracle Forums and saw no forum for javascript. If not Oracle who is addressing issues like these?

    Article Excerpts:
    More recently still, the spammers started embedding the JavaScript inside the HTML file (rather than as a simple file attachment), to spread the horrible Zeus banking Trojan.

    "So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless," concludes Barracuda Labs' researcher, Dave Michmerhuizen.

    The only defenses against this sort of attack are either for it to be filtered at the gateway so it never reaches the user, or for the user to disable JavaScript in their browser. Security software on the PC might catch the exploit.
    End Excerpt.

  2. #2
    Join Date
    Apr 2003
    Location
    Netherlands
    Posts
    21,654
    It's the e-mail client and browsers at fault, and of course the user, not JavaScript.
    Never open an e-mail attachment from an unknown and untrusted source.

    ECMAScript is the standard, JavaScript is just one of the dialects: http://en.wikipedia.org/wiki/ECMAScript
    ECMAScript working group: http://www.mozilla.org/projects/tama...q.html#whoelse
    At least 98% of internet users' DNA is identical to that of chimpanzees

  3. #3
    Join Date
    Apr 2006
    Location
    Houston
    Posts
    1,374
    Most of these kind of problems are from email attachments in a message that someone clicks on - that is HTML, not JavaScript. Disabling JavaScript in that case will not give you one iota more of protection.

    A brief glimpse at the article gives me the impression the author is more interested in fear mongering than in informing.

    P.S.

    No one owns JavaScript, let alone Oracle.

    If you turned JavaScript off in your browser very few sites would actually work correctly, as most web2.0 sites (as well as any site that uses Ajax) rely on it's existence.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles