I am not actively collecting or reporting problems related to JavaScript.
This does not mean there are none in Netscape's Navigator or in Microsoft's Internet Explorer. Rather, my available time is being spent on other, more important pursuits.
I do not offer JavaScript consulting services.
Please do not send me your JavaScript (or Java) code or questions, or pointers to such.
If you insist on doing so, I'll have to insist on billing you. And you can't afford me.
The press had a spotty record of reporting correctly on this as it happened in 1996. I've prepared a small report on the stories I've seen. I'm amazed at how inaccurate some of the stories are! You'd think that they would have at least read some of what I've written! If you see an article in the press mentioning these pages, please let me know (John LoVerso).
It's been over 6 years since I first wrote this page. JavaScript exploits continue to plague all browsers.
JavaScript from Internet Explorer has succeed in making many Windows applications exploitable. This has blossomed into a new wave of email viruses that take advantage of mail programs like Eudora and Outlook. IE 6.0 is far from safe (really!). Microsoft's attitude about security was best summed up in a one of their "Security Bulletins" where they suggested an appropriate workaround for one of the latest IE flaws was to not visit untrusted web sites. So much for web surfing (Psst: Hey, Microsoft, they are all untrusted web sites).
No one should be using Netscape Navigator (4.x or earlier) anymore. I really loved the exploit that embeded JavaScript in a GIF comment field; good old Navigator happily executed it! Get thee over to mozilla and download the latest build. It's still a little slower than Navigator, but far more stable and secure. (oh, it's not been immune from JavaScript exploits, but it's far better than anything else available right now)
Sadly, other browsers, like Opera, have followed in MS and Netscape's footsteps created their own list of security problems by adding JavaScript in an unsafe fashion. IMHO, Opera is still nowhere near as safe as Mozilla.
Want the latest on security exploits? I suggest a visit to George Guninski's Security Resarch pages. I consider him exceptionally adept in finding problems. I'd like to think that if I had ever stayed this course (rather than getting back to real work) I might be discovering and reporting as many problems as George!
Netscape Navigator 3.0, 3.01, and 4.0 has a bug in JavaScript that allows arbitrary files to be uploaded from your computer without your knowledge. I had no part in discovering this bug. However, with Paul Kooros, we created an independent exploit for it before Netscape released 4.01.
It was alarming that the fix for this, a release of 4.01, was only initially made for Windows 95. This left every other platform vulnerable. However, by 4.03 (and/or 4.03b8 on many platforms) this bug was fixed.
I held off releasing the exploits for the March 18 and March 21 bugs partially because they are nasty problems and partially because Netscape asked me to. Even though they were both fixed in both 3.0 ``preview releases'', I've waited until 2.02 was released. Hence, they are now linked in below.
As of May 1, I have made this exploit available.
As of May 5/1, I have made this exploit available.
Anyway, utilizing a Save File dialog as the initiator, this lets me build a history tracker that works with 2.01. I've created a sample exploit. This writes the the same log as my 2/22 tracker, so use this to view the tail of the logfile.
Note that with 2.01, the 1x1 window previously used ends up being bigger, so you can easily see it flash. And, the ``stuck onload'' gets unstuck by visiting another page with an onLoad() tag. This may not be a very intriguing way to spy on someone.
JavaScript loaded from some page can write to local files on your disk. This info is from my news posting to the devs-javascript group. This is the basic bit of code:
document.open("Can I write to your disk?")
document.write("<censored>")
document.close()
This trick requires the user to go through a File Save dialog, and hence, is not transparent. The user chooses the file name, but I'm able to write to disk none-the-less. This is quite against the stated fact that JavaScript is "Secure. Cannot write to hard disk" - and this works in 2.01.
Try my example.
For me, this always caused a GPF on Windows NT. That is, once the File Save dialog appeared, no matter what I selected, it went poof! It seems to core dump the UNIX version of Navigator if you don't open up a new window relatively fast (i.e., before you go to some other JavaScript laden page). I've found that nasty things begin to happen if you click on Cancel in the Save dialog (see March 18 for details).
Note that the file never gets closed until you exit Netscape, so small writes tend to get buffered up and not output.
These above mentioned bugs with this mechanism initially lead me to believe that the ability to write files was errantly added to JavaScript. Brendan Eich has since informed me that this ability is intentional, or at least, known about.
This problem has been fixed in Netscape-2.01; see Netscape's security note on Java and JavaScript.
You can read the original article I posted to the RISKS Forum on this problem. That whole issue is also available in the archive in the UK. Another article of interest appeared Keith Dawson's TBTF on Feb 27, 1996.
This is fixed in Netscape-2.01.