Warning! Re: Netscape 2.0 & JavaScript (long) (fwd)

Rohit Khare (khare@pest.w3.org)
Thu, 29 Feb 96 13:44:17 -0500

M$ was by yesterday, and they told us a very convincing story on how they are
dealing with 'scripting viruses' in many different ways. Netscape hasn't even
begun, apparently...

Rohit Khare

Begin forwarded message:

Date: Wed, 28 Feb 1996 21:53:48 -0800 (PST)
From: Marc Hedlund <marc@organic.com>
To: nelson@santafe.edu, phawk@teleport.com, kt@webstorm.com,
jgoody@cats.ucsc.edu, rohit@w3.org
Subject: Warning! Re: Netscape 2.0 & JavaScript (long) (fwd)

Holy Shit. Read this whole document and throw out your copy of Netscape
2.0, please. CERT, RISKS, and a couple of news organizations have been

Marc Hedlund, Organic Online <marc@organic.com>

---------- Forwarded message ----------

"THE WORLD WIDE WEB SECURITY FAQ (Version 1.2.0, February 28 1996)"
by Lincoln D. Stein <lstein@genome.wi.mit.edu>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Q69: What's the difference between Java and JavaScript?

Despite the similarity in names, Java and JavaScript are two separate
entities. Java is a language designed by SunSoft (a division of Sun
Microsystems). Java scripts are precompiled into a compact form and
stored on the server's side of the connection. HTML documents refer to
the mini-applications known as Java "applets" by incorporating
<APPLET> tags. Browsers that support the <APPLET> tag (currently only
Netscape Navigator 2.0 and Sun's HotJava), download the compiled Java
applications and execute them.

JavaScript is a series of extensions to the HTML language understood
only by Netscape Navigator version 2.0. It's an interpreted language
designed for controlling the Netscape browser; it has the ability to
open and close windows, manipulate form elements, adjust browser
settings, and download and execute Java applets.

Although JavaScript has a similar syntax to Java, it is quite distinct
in many ways.

Q71: Are there any known security holes in JavaScript?

You should be extremely concerned about JavaScript, an integral part
of Netscape Navigator 2.0. It allows many types of private information
to be included in data submitted to remote sites by fill-out forms,
without the consent, or even the knowledge of the user. For example, a
recently published script showed how a JavaScript page could grab a
user's e-mail address from Netscape's preferences dialog and send it
user's e-mail address from Netscape's preferences dialog and send it
across the Internet.

This is just the beginning. Others have figured out how to exploit
JavaScript to make much more intrusive invasions of the user's
privacy. The scripts at:
* <http://www.c2.org/~aelana/javascript.html and
* <http://www.osf.org/~loverso/javascript/track-me.html

demonstrate how to take the following obnoxious actions:
1. Read the user's URL history list and transmit it to a remote site.
2. Read the user's disk cache (containing URLs of all frequently
visited sites) and transmit it to a remote site.
3. Invisibly monitor all the sites a user visits and transmit them
one by one to a remote site (the monitoring persists until the
user completely exits from Netscape)
4. Obtain a recursive directory listing of the user's local hard disk
and any network disks that happen to be mounted.

In addition, it should be possible to exploit the same holes to grab
the user's list of subscribed newsgroups and to obtain the contents of
local disk files.

Not only is this intrusive, but it represents a systemwide security
breach. If sensitive system documents (such as password files) can be
stolen, then the entire local area network becomes vulnerable to break

There doesn't seem to be any way to turn JavaScript off, so the
recommended solution is to _use Netscape 1.1 or another vendor's
browser_. Turning off Java in the Security Preferences dialog box has
no effect on JavaScript.
------- end -------