Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Javascript/AJAX/Worm Like Behavior InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Javascript/AJAX/Worm Like Behavior

Published: 2006-06-13
Last Updated: 2006-06-13 09:27:19 UTC
by Michael Haisley (Version: 1)
0 comment(s)
We have seen the Yamanner worm spread throughout Yahoo over the past few days.  This worm manages to spread without the user doing anything other than viewing a malicious email.  Yahoo to its credit had already
fixed the exploit in it's new beta client.

Software developers, and webmasters alike should take this as a warning, new exploits will be coming that will use javascript and Ajax-like behavior to spread.  The current worm could be readily modified to spread across many systems that do not escape javascript when displaying data from a foreign source. Many web developers should reexamine their code, and make sure that display functions do not deliver potentially malicious code.

After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.

We will be sending notice to affected software vendors that we have identified at this time, however we currently do not have plans to publish specific applications until new releases/patches are available.
Keywords:
0 comment(s)
Diary Archives