ad info




CNN.com
 MAIN PAGE
 WORLD
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
* TECHNOLOGY
   computing
   personal technology
 SPACE
 HEALTH
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 ARTS & STYLE
 NATURE
 IN-DEPTH
 ANALYSIS
 myCNN

 Headline News brief
 news quiz
 daily almanac

  MULTIMEDIA:
 video
 video archive
 audio
 multimedia showcase
 more services

  E-MAIL:
Subscribe to one of our news e-mail lists.
Enter your address:
Or:
Get a free e-mail account

 DISCUSSION:
 message boards
 chat
 feedback

  CNN WEB SITES:
CNN Websites
 AsiaNow
 En Español
 Em Português
 Svenska
 Norge
 Danmark
 Italian

 FASTER ACCESS:
 europe
 japan

 TIME INC. SITES:
 CNN NETWORKS:
Networks image
 more networks
 transcripts

 SITE INFO:
 help
 contents
 search
 ad info
 jobs

 WEB SERVICES:

COMPUTING

From...
Computerworld

CERT warns of malicious code on Web sites

Image

February 4, 2000
Web posted at: 9:51 a.m. EDT (0951 GMT)

by Ann Harrison

(IDG) -- Several computer security organizations Wednesday issued a joint warning about the spread of malicious software scripts that can be posted to a Web site without the operator's knowledge.

The programs are being distributed via special links embedded on sites, according to an advisory issued by the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh. They can allow a site to send bad data, unwanted pictures or scripts that may compromise or capture sensitive information such as user's passwords. And they can do those things without a company being aware that its site is posing security risks to others.

CERT says Web developers and users should be aware that the scripts can be used to expose restricted parts of an organization's local networks, such as their intranets, to attackers from the Internet.

"We haven't had any direct reports to CERT because it would be difficult to detect," said Bill Pollack, team leader for technical communication at CERT. "But we've been working to understand the problem and give people information as a proactive measure to mitigate the risk."

The U.S. Defense Department's Joint Task Force for Computer Network Defense, the Federal Computer Incident Response Capability and the National Infrastructure Protection Center (NIPC) joined CERT in issuing today's warning.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Diary of a hack attack
  The Web is a hacker's playground
  New dictionary defines cyber-threats
  Hacker lessons
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

The advisory notes that potential attackers can exploit flaws in the way data enters and leaves a Web site and it urges that data be validated to ensure that no "unintended" characters are sent back to the client.

This is a relatively unusual warning from CERT, which generally focuses on distributing information about widely known security vulnerabilities.

CERT has posted two documents describing short-term solutions. The first document, "Understanding Malicious Content Mitigation for Web Developers," provides a technical overview of the problem and describes steps that Web developers can take to protect their Web pages from being used by developers of malicious scripts.

These steps include recoding dynamically generated Web pages to validate output so data can be filtered before the page goes to a user's browser. Web developers can also filter incoming data that dynamically generates content, including Web addresses, elements from forms, cookies and database queries.

A second document, "FAQ (frequently asked questions) About Malicious Web Scripts Redirected by Web Sites," provides information for general Web users. It includes step-by-step instructions for shutting off options in the Web browser that allow malicious scripts to run. The steps include turning off Java, JavaScript and ActiveX.

"While the short-term solutions may not be optimal, they are steps that Web-page developers and Web users can take immediately if they wish to protect their Web pages and themselves," according to the advisory. CERT said it's working with technology vendors on more comprehensive long-term solutions.


RELATED STORIES:
Meet the kid behind the DVD hack
January 31, 2000
Legendary computer hacker released from prison
January 21, 2000
Large-scale phone invasion goes unnoticed by all but FBI
December 14, 1999
Protection against IE holes may create more problems than solutions
November 23, 1999
Known vulnerabilities are No. 1 hack exploit
December 17, 1999

RELATED IDG.net STORIES:
CERT warns of networked denial of service attacks
(Computerworld)
New dictionary defines cyber-threats
(IDG.net)
10 ways to avoid password oppression
(PC World Online)
To secure your PC, arm yourself with security alerts
(InfoWorld.com)
The Web is a hacker's playground
(PC World Online)
Diary of a hack attack
(Network World Fusion)
Read an e-mail, lose your privacy
(SunWorld)
Hacker lessons
(Computerworld)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
CERT advisory: Malicious HTML Tags Embedded in Client Web Requests
Understanding Malicious Content Mitigation for Web Developers
FAQ About Malicious Web Scripts Redirected by Web Sites
Computer Emergency Response Team (CERT)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.