Javascript security flaw


Tip
Guess what? Another browser security hole. This time the culprit is the JavaScript language, which researchers at Carnegie Mellon University's Computer Emergency Response Team Coordination Center recently discovered to be less than secure (read the advisory at ftp://info.cert.org/pub/cert_advisories/CA-97.20.javascript). A flaw in the language permits hackers to track the URLs you visit, capture any passwords you enter into forms, and view the contents of cookie files stored on your computer.
It's unlikely that any sites bearing lethal JavaScript actually exist, but frequent Web surfers would be well-advised to protect themselves. The best way is to install an updated version of your Web browser that closes the hole. Netscape Navigator 3.03 and Communicator 4.01a (http://home.netscape.com/download/) and a patch to Internet Explorer 3.02 (http://www.microsoft.com/ie/security/bell.htm) plug the hole.
The current beta version of Internet Explorer 4.0 -- Preview 2 -- has fixed the problem, but the Preview 1 release is susceptible. Preview 1 users can protect themselves by disabling Internet Explorer's JavaScript support. Select View--Options--Security, click the Custom button, then click Settings. Under the Scripting heading and the Active Scripting subheading, click the Disable radio button, then click OK twice.
- Scott Spanbauer
[

Category: Bugs and fixes
Issue: Nov 1997
Pages: 171

These Web pages are produced by Australian PC World © 1997 IDG Communications