Analyzing JavaScript attacks

This post by Juan Miguel Paredes is an amazingly in-depth look at how JavaScript can be crafted to take over a computer through its browser.

The article got me thinking about JavaScript exploits in general, and what can be done to reduce them. The idea that came to me was to build a better browser.

Right now, the ideal way to protect yourself is to install a browser extension like NoScript. This allows you to define which sites you trust JavaScript from and block anything else. NoScript also contains a feature that detects and filters out XSS (cross-site scripting) attacks.

We can’t rely on most users to customize their browser with an extension (if an equivalent one is even available). I want to see this functionality built-in.

Microsoft has taken some steps towards this, though not with JavaScript. In the Metro-style Internet Explorer 10 Microsoft has included a plugin for Adobe Flash (a huge source of vulnerabilities), since the user cannot install plugins in the new, streamlined UI paradigm. With Microsoft maintaining the security of the flash capabilities on the browser, they have implemented a whitelist. Flash content will only play on approved sites.
There will likely be some frustrations with this system as sites and users adjust to it, but I think it’s generally a positive step, and I’d like to see it extended to JavaScript as well.
If the default condition for most users is that JavaScript fails to load from unapproved sources, we’ll slow down the spread of malware and botnets.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s