****************************************************************************** ------ ----- ----- --- ----- | ----- ---- | | | | | |--- | | | | | | | | | |-- | | | | |-- | | | | | | | | \ | | ----- ---- ----- ----- | \ ----- A D V I S O R Y 97.35 ****************************************************************************** Topic: JavaScript Vulnerability Source: CERT/CC Creation Date: July 8, 1997 Last Updated: To aid in the wide distribution of essential security information, FedCIRC is forwarding the following information from CERT/CC advisory CA-97.20. FedCIRC urges you to act on this information as soon as possible. If you have any questions, please contact FedCIRC: Telephone: +1 888 282 0870 Email: fedcirc@fedcirc.gov =======================FORWARDED TEXT STARTS HERE============================ -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Advisory CA-97.20 Original issue date: July 8, 1997 Last revised: -- Topic: JavaScript Vulnerability - ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of a vulnerability in JavaScript that enables remote attackers to monitor a user's Web activities. The vulnerability affects several Web browsers that support JavaScript. The vulnerability can be exploited even if the browser is behind a firewall and even when users browse "secure" HTTPS-based documents. The CERT/CC team recommends installing a patch from your vendor or upgrading to a version that is not vulnerable to this problem (see Section III. A). Until you can do so, we recommend disabling JavaScript (see Section III.B). We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. - ----------------------------------------------------------------------------- I. Description Several web browsers support the ability to download JavaScript programs with an HTML page and execute them within the browser. These programs are typically used to interact with the browser user and transmit information between the browser and the Web server that provided the page. JavaScript programs are executed within the security context of the page with which they were downloaded, and they have restricted access to other resources within the browser. Security flaws exist in certain Web browsers that permit JavaScript programs to monitor a user's browser activities beyond the security context of the page with which the program was downloaded. It may not be obvious to the browser user that such a program is running, and it may be difficult or impossible for the browser user to determine if the program is transmitting information back to its web server. The vulnerability can be exploited even if the Web browser is behind a firewall (if JavaScript is permitted through the firewall) and even when users browse "secure" HTTPS-based documents. II. Impact This vulnerability permits remote attackers to monitor a user's browser activity, including: * observing the URLs of visited documents, * observing data filled into HTML forms (including passwords), and * observing the values of cookies. III. Solution The best solution is to obtain a patch from your vendor or upgrade to a version that is not vulnerable to this problem. If a patch or upgrade is not available, or you cannot install it right away, we recommend disabling JavaScript until the fix is installed. A. Obtain and install a patch for this problem. We are currently in communication with vendors about this problem. See Appendix A for the current information. We will update the appendix when we receive further information. B. Disable JavaScript. Until you are able to install the appropriate patch, we recommend disabling JavaScript in your browser. Note that JavaScript and Java are two different languages, and this particular problem is only with JavaScript. Enabling or disabling Java rather than JavaScript will have no affect on this problem. The way to disable JavaScript is specific to each browser. The option, if available at all, is typically found as one of the Options or Preferences settings. ........................................................................ Appendix A - Vendor Information Below is information we have received from vendors. We will update this appendix as we receive additional information. Microsoft ========= Microsoft will announce their patches for this problem at http://www.microsoft.com/ie/security/update.htm - ----------------------------------------------------------------------------- The CERT Coordination Center thanks Vinod Anupam of Bell Labs, Lucent Technologies, for identifying and analyzing this problem, and vendors for their support in responding to this problem. - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - --------------------------------------------------------------------------- * Registered U.S. Patent and Trademark Office. Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U.S. Department of Defense. - --------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.20.javascript http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM8Khu3VP+x0t4w7BAQGTtwP9Gw00odgsPPBU3XCE3kbna8Gazeflr2dT 59zeFggSYRreXdd7PZkN32uJLCtPq/RrYLTY2quN7ItdQAMpC2iB4jUQMT655F8v TPQiywLdeEsLkwb4Ax3dw7pwDPLntDzt73+xAxigDFJbJuQkKn2tJDMkaJ7B+y4X ZiO9HRRkWXQ= =yrbc -----END PGP SIGNATURE----- ========================FORWARDED TEXT ENDS HERE============================= The National Institute of Standards and Technology (NIST) has established a Federal Computer Incident response Capability (FedCIRC) to assist federal civilians agencies in their incident handling efforts by providing proactive and reactive computer security related services. FedCIRC is a partnership among NIST, the Computer Incident Advisory Capability (CIAC), and the CERT* Coordination Center (CERT/CC). If you believe that your system has been compromised, please contact FedCIRC: Telephone: +1 888 282 0870 Email: fedcirc@fedcirc.gov Web Server: http://www.fedcirc.gov/ * Registered in U.S. Patent and Trademark Office The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.