ad info
   personal technology

 Headline News brief
 news quiz
 daily almanac

 video archive
 multimedia showcase
 more services

Subscribe to one of our news e-mail lists.
Enter your address:
Get a free e-mail account

 message boards

CNN Websites
 En Español
 Em Português


Networks image
 more networks

 ad info




CERT warns of malicious code on Web sites


February 4, 2000
Web posted at: 9:51 a.m. EDT (0951 GMT)

by Ann Harrison

(IDG) -- Several computer security organizations Wednesday issued a joint warning about the spread of malicious software scripts that can be posted to a Web site without the operator's knowledge.

The programs are being distributed via special links embedded on sites, according to an advisory issued by the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh. They can allow a site to send bad data, unwanted pictures or scripts that may compromise or capture sensitive information such as user's passwords. And they can do those things without a company being aware that its site is posing security risks to others.

CERT says Web developers and users should be aware that the scripts can be used to expose restricted parts of an organization's local networks, such as their intranets, to attackers from the Internet.

"We haven't had any direct reports to CERT because it would be difficult to detect," said Bill Pollack, team leader for technical communication at CERT. "But we've been working to understand the problem and give people information as a proactive measure to mitigate the risk."

The U.S. Defense Department's Joint Task Force for Computer Network Defense, the Federal Computer Incident Response Capability and the National Infrastructure Protection Center (NIPC) joined CERT in issuing today's warning.

  Diary of a hack attack
  The Web is a hacker's playground
  New dictionary defines cyber-threats
  Hacker lessons
  Reviews & in-depth info at
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

The advisory notes that potential attackers can exploit flaws in the way data enters and leaves a Web site and it urges that data be validated to ensure that no "unintended" characters are sent back to the client.

This is a relatively unusual warning from CERT, which generally focuses on distributing information about widely known security vulnerabilities.

CERT has posted two documents describing short-term solutions. The first document, "Understanding Malicious Content Mitigation for Web Developers," provides a technical overview of the problem and describes steps that Web developers can take to protect their Web pages from being used by developers of malicious scripts.

These steps include recoding dynamically generated Web pages to validate output so data can be filtered before the page goes to a user's browser. Web developers can also filter incoming data that dynamically generates content, including Web addresses, elements from forms, cookies and database queries.

A second document, "FAQ (frequently asked questions) About Malicious Web Scripts Redirected by Web Sites," provides information for general Web users. It includes step-by-step instructions for shutting off options in the Web browser that allow malicious scripts to run. The steps include turning off Java, JavaScript and ActiveX.

"While the short-term solutions may not be optimal, they are steps that Web-page developers and Web users can take immediately if they wish to protect their Web pages and themselves," according to the advisory. CERT said it's working with technology vendors on more comprehensive long-term solutions.

Meet the kid behind the DVD hack
January 31, 2000
Legendary computer hacker released from prison
January 21, 2000
Large-scale phone invasion goes unnoticed by all but FBI
December 14, 1999
Protection against IE holes may create more problems than solutions
November 23, 1999
Known vulnerabilities are No. 1 hack exploit
December 17, 1999

CERT warns of networked denial of service attacks
New dictionary defines cyber-threats
10 ways to avoid password oppression
(PC World Online)
To secure your PC, arm yourself with security alerts
The Web is a hacker's playground
(PC World Online)
Diary of a hack attack
(Network World Fusion)
Read an e-mail, lose your privacy
Hacker lessons
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

CERT advisory: Malicious HTML Tags Embedded in Client Web Requests
Understanding Malicious Content Mitigation for Web Developers
FAQ About Malicious Web Scripts Redirected by Web Sites
Computer Emergency Response Team (CERT)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.