DonkBoy Internet
Home of the famous
Information Archives.
"For the curious"
Best viewed @ 1024 x 768
For your security, Turn off cookies.
Experts Warn of Serious New Web Risk
------------------------------------------------------------
Eric Schultze, Associated Press
WASHINGTON (AP) - The nation's top computer experts warned Internet
users Wednesday about a serious new security threat that allows
hackers to launch malicious programs on a victim's computer or
capture information a person volunteers on a Web site, such as
credit card numbers.
The threat, dubbed ''cross-site scripting,'' involves dangerous
computer code that can be hidden within innocuous-looking links to
popular Internet sites. The links can be e-mailed to victims or
published to online discussion groups and Web pages.
The vulnerability was especially unusual because it is not limited
to software from any particular company. Any Web browser on any
computer visiting a complex Web site is at risk.
No one apparently has been victimized yet. But the risks were
described as potentially so serious and affected such a breadth of
even the largest, most successful Web sites that the industry's
leading security group said nothing consumers can do will
completely protect them.
Only a massive effort by Web site designers can eliminate the
threat, according to the CERT Coordination Center of Carnegie
Mellon University and others. Software engineers at CERT issued the
warning Wednesday together with the FBI and the Defense Department.
The problem, discovered weeks ago but publicly disclosed Wednesday,
occurs when complex Internet sites fail to verify that hidden
software code sent from a consumer's browser is safe.
Experts looking at how often such filtering occurred found that
Internet sites failing to perform that important safety check were
''the rule rather than the exception,'' said Scott Culp, the top
security program manager at Microsoft.
''Any information that I type into a form, what pages I visit on
that site, anything that happens in that session can be sent to a
third-party, and it can be done transparently,'' Culp warned. He
added: ''You do have to click on a link or follow a link in order
for this to happen.''
The dangerous code also can alter information displayed in a
consumer's Web browser, such as account balances or stock prices at
financial sites. And it can capture and quietly forward to others a
Web site's ''cookie,'' a small snippet of data that could help
hackers impersonate a consumer on some Internet pages.
''It really goes across a huge number of sites,'' said Marc Slemko,
a Canadian software expert who studied the problem. Slemko said
Internet-wide repairs will be ''a very, very major undertaking.''
In the interim, experts strongly cautioned Internet users against
clicking on Web links from untrusted sources, such as unsolicited
e-mail or messages sent to discussion forums.
They also recommended that consumers at least consider preventing
their Web browser software from launching small programs, called
scripts. But they acknowledged that many Internet sites require
that function to operate.
''A large number of sites simply aren't usable'' without those
functions, Slemko said.
Microsoft said it planned to publish full details and step-by-step
instructions for consumers at its Web site,
www.microsoft.com/security.
------------------------------------------------------------