[Eug-lug] How secure is Javascript?
M. Bitner
moexu13 at gmail.com
Thu Jul 10 09:05:58 PDT 2008
It might have been IE only, I'm not sure. I don't work in the same
place but I can try and find out some more details from my former
colleague.
On Wed, Jul 9, 2008 at 10:47 PM, Neil Parker <nparker at lyl.llx.com> wrote:
> Another thing worth remembering is that just as Javascript itself differs
> quit a bit from browser to browser, so do its security issues. A
> feature (?) that makes it possible to write a port scanner in one
> browser might not exist at all in another browser.
>
> Traditionally Internet Explorer has been considered the worst offender
> security-wise. In part this is because it lets you say "x = new
> ActiveXObject(...)", which sometimes makes it possible for Javascript to
> invoke components that were never intended to be used by a web browser.
> (Remember last year's Month of Browser Bugs? Most of the IE bugs on that
> list revolved around ActiveXObject.)
>
> ActiveXObject, and its security implications, are completely absent in
> Firefox. Not that Firefox has been free of Javascript security holes,
> though...as it evolved from 2.0 to 2.0.0.15, many of the updates
> included patches for Javascript security holes. Several of these involved
> ways for Javascipt to elevate its permissions from content (highly
> restricted) to chrome (unrestricted, with full access to your filesystem
> and the network).
>
>
> I'd be highly interested to learn how that port scanner worked. Did it
> depend on one particular browser?
>
> - Neil Parker
> _______________________________________________
> EUGLUG mailing list
> euglug at euglug.org
> http://www.euglug.org/mailman/listinfo/euglug
>
More information about the EUGLUG
mailing list