Exploiting a lack of security checks in browsers and Web servers, Web worms and viruses are likely to become a major threat to surfers, security researchers speaking at the Black Hat Briefings warned on Thursday.
In separate presentations, researchers showed off techniques for using Javascript code on Web pages to grab browser histories and scan internal networks as well as using AJAX--a technology that adds interactive features to Web sites--to create Web viruses that can steal personal information. The threats are not only theory, but have been used to attack MySpace users and Yahoo users, said Billy Hoffman, lead research and development researcher for Web security firm SPI Dynamics.
"This isn't a proof of concept; this isn't academic," Hoffman told attendees at the Black Hat Briefings. "People are already doing this."
...
Grossman showed off techniques for detecting which of a list of popular sites that a victim has visited and demonstrated a way to port scan an internal network to which the victim is connected, all through Javascript and without exploiting vulnerabilities.
"We don't need to hack the operating system anymore--everything you need to attack is online," Grossman said.
...
There are few other defenses against the attacks, aside from turning off Javascript, Hoffman said.
Secure Sockets Layer (SSL) encryption, far from helping secure against such attacks, could instead aid them in dodging detection by intrusion detection, or prevention, systems, he said. If the Web site from which the attack is launched uses SSL, then the traffic--encrypted between the site and the user--cannot be parsed by a network-based IDS system.
The most permanent fix would be for browser makers to find ways to confirm that AJAX code is indeed running in the context of the current Web site being visited by a user, while marking Web requests with the source of the request--whether a human or a script--could limit attacks on high-value sites, such as brokerage firms and banks.
"We have made a call out to the browsers makers to fix the problems," Grossman said. "We hope it comes soon before the bad attacks happen."
[MORE]