Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Javascript/AJAX/Worm Like Behavior - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Javascript/AJAX/Worm Like Behavior
We have seen the Yamanner worm spread throughout Yahoo over the past few days.  This worm manages to spread without the user doing anything other than viewing a malicious email.  Yahoo to its credit had already
fixed the exploit in it's new beta client.

Software developers, and webmasters alike should take this as a warning, new exploits will be coming that will use javascript and Ajax-like behavior to spread.  The current worm could be readily modified to spread across many systems that do not escape javascript when displaying data from a foreign source. Many web developers should reexamine their code, and make sure that display functions do not deliver potentially malicious code.

After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.

We will be sending notice to affected software vendors that we have identified at this time, however we currently do not have plans to publish specific applications until new releases/patches are available.
Michael

18 Posts

Sign Up for Free or Log In to start participating in the conversation!