PC World: Malicious HTML in E-Mail Increases: Defense "Turn JavaScript Off" ???

[Mel_3]

This article was just published on PCWorld.com at
http://www.pcworld.com/article/20621...increases.html

As I read it this is about a new twist to an old issue. (see excerpts below)

The question are...

1 - I thought JavaScript was in a "sandbox" and prevented inappropriate access to the local machine. Is this no longer true?

2 - More to the point:
Can or are any modifications to JavaScript be done by the JavaScript development team... who ever that is (Oracle?)... to fix what ever JavaScript vulnerabilities are being exploited?

3 - Are there other defenses for the client machine other than those mentioned in the excerpt below? (Turn off JavaScript in their browsers, etc.)

4 - If there is no vigorous response to this by the JavaScript development team how can we continue to create apps with JavaScript as such will encourage people to simply turn off java script in their browsers and that will encourage other web developers to simply not use JavaScript on their sites.

5 - Is Oracle the "owner" or "keeper" of javascript? I looked on the Oracle Forums and saw no forum for javascript. If not Oracle who is addressing issues like these?

Article Excerpts:
More recently still, the spammers started embedding the JavaScript inside the HTML file (rather than as a simple file attachment), to spread the horrible Zeus banking Trojan.

"So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless," concludes Barracuda Labs' researcher, Dave Michmerhuizen.

The only defenses against this sort of attack are either for it to be filtered at the gateway so it never reaches the user, or for the user to disable JavaScript in their browser. Security software on the PC might catch the exploit.
End Excerpt.

[Fang]

It's the e-mail client and browsers at fault, and of course the user, not JavaScript.
Never open an e-mail attachment from an unknown and untrusted source.

ECMAScript is the standard, JavaScript is just one of the dialects: http://en.wikipedia.org/wiki/ECMAScript
ECMAScript working group: http://www.mozilla.org/projects/tama...q.html#whoelse

[slaughters]

Most of these kind of problems are from email attachments in a message that someone clicks on - that is HTML, not JavaScript. Disabling JavaScript in that case will not give you one iota more of protection.

A brief glimpse at the article gives me the impression the author is more interested in fear mongering than in informing.

P.S.

No one owns JavaScript, let alone Oracle.

If you turned JavaScript off in your browser very few sites would actually work correctly, as most web2.0 sites (as well as any site that uses Ajax) rely on it's existence.