**************************************************************************
Security Bulletin 9718 DISA Defense Communications System
July 9, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL) 1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
- -----------------------------------------------------------------------------
The CERT Coordination Center has received reports of a vulnerability in JavaScript that enables remote attackers to monitor a user's Web activities. The vulnerability affects several Web browsers that support JavaScript.
The vulnerability can be exploited even if the browser is behind a firewall and even when users browse "secure" HTTPS-based documents.
The CERT/CC team recommends installing a patch from your vendor or upgrading to a version that is not vulnerable to this problem (see Section III. A). Until you can do so, we recommend disabling JavaScript (see Section III.B).
We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
Several web browsers support the ability to download JavaScript programs with an HTML page and execute them within the browser. These programs are typically used to interact with the browser user and transmit information between the browser and the Web server that provided the page.
JavaScript programs are executed within the security context of the page with which they were downloaded, and they have restricted access to other resources within the browser. Security flaws exist in certain Web browsers that permit JavaScript programs to monitor a user's browser activities beyond the security context of the page with which the program was downloaded. It may not be obvious to the browser user that such a program is running, and it may be difficult or impossible for the browser user to determine if the program is transmitting information back to its web server.
The vulnerability can be exploited even if the Web browser is behind a firewall (if JavaScript is permitted through the firewall) and even when users browse "secure" HTTPS-based documents.
This vulnerability permits remote attackers to monitor a user's browser activity, including:
The best solution is to obtain a patch from your vendor or upgrade to a version that is not vulnerable to this problem. If a patch or upgrade is not available, or you cannot install it right away, we recommend disabling JavaScript until the fix is installed.
We are currently in communication with vendors about this problem. See Appendix A for the current information. We will update the appendix when we receive further information.
Until you are able to install the appropriate patch, we recommend disabling JavaScript in your browser. Note that JavaScript and Java are two different languages, and this particular problem is only with JavaScript. Enabling or disabling Java rather than JavaScript will have no affect on this problem.
The way to disable JavaScript is specific to each browser. The option, if available at all, is typically found as one of the Options or Preferences settings.
........................................................................
Below is information we have received from vendors. We will update this appendix as we receive additional information.
http://www.microsoft.com/ie/security/update.htm
- -----------------------------------------------------------------------------
The CERT Coordination Center thanks Vinod Anupam of Bell Labs, Lucent Technologies, for identifying and analyzing this problem, and vendors for their support in responding to this problem.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised,
contact the CERT Coordination Center or your representative in
the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/).
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.
ftp://info.cert.org/pub/CERT_PGP.key
CERT publications and other security information are available from
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U.S. Department of Defense.
- ---------------------------------------------------------------------------
This file: ftp://info.cert.org/pub/cert_advisories/CA-97.20.javascript
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government. The
opinions of the authors expressed herein do not necessarily state
or reflect those of the United States Government, and shall not
be used for advertising or product endorsement purposes.