LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Another good reason to disable JavaScript

Another good reason to disable JavaScript

Posted Sep 17, 2009 8:55 UTC (Thu) by anton (guest, #25547)
Parent article: All the malware that's fit to print

This article thoroughly debunks the claim that it's ok to enable JavaScript for trustworthy sites. I never bought that, because some black hat could break into the "trustworthy" site and then change the JavaScript to break into my system (through one of the many JavaScript vulnerabilities); but this article makes it clear that the black hats don't even need to break in, the "trustworthy" site actually includes their JavaScript voluntarily.

(Log in to post comments)

Another good reason to disable JavaScript

Posted Sep 17, 2009 16:22 UTC (Thu) by Cato (subscriber, #7643) [Link]

I doubt if the malware is actually hosted on the nytimes.com domain, so it's still somewhat safe to enable JavaScript for *.nytimes.com, I would hope. Running AdBlock is the other obvious way to stop this sort of attack - when combined with NoScript and FlashBlock, you are safe against a lot of the most obvious attacks.

Another good reason to disable JavaScript

Posted Sep 18, 2009 4:01 UTC (Fri) by njs (guest, #40338) [Link]

The malware itself is not hosted on nytimes.com, but the javascript that loads it is. A quick look at the current source for the nytimes.com frontpage shows what's clearly some code provided by a 3rd party and then pasted into the source. The one I see uses document.write to insert a <script> tag pointing at a 3rd party page, but it could just as well fetch the source code and call eval() to really get around any javascript security limitations.

Of course, they won't bother because malware writers are after the general population, and the general population doesn't write site-by-site javascript security rules. Of course, if you're willing to rely on that fact, then there's no much point in worrying in the first place, because the general population doesn't run Linux and most (though not all) malware that breaks security through technical means is going to rely on some windows-specific stack-smashing code.

Sort of fascinating actually how much info they include in the source, actually -- search for "ADXINFO".

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds