Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

onUnload()

Published: 2007-02-26
Last Updated: 2007-02-26 23:25:38 UTC
by Swa Frantzen (Version: 3)
0 comment(s)
What happens when an adept of the dark side of the force looks at the documentation on javascript's onUnload() function ?

Take a look for yourself and come back, we won't go anywhere:
So something that gets called no matter how the user tries to get away from a web page. Imagine what pages you might want to get away from ...

As the MSDN article says, adding a window.open() call in such a routine becomes a nightmare for the visitor as (s)he'll never manage to get away on his/her own. Pop-up blockers should -if all goes right- detect and prevent that one case. But it gets worse, how about "location = self.location;" ? Right, the visitor doesn't go away at all.

Is there anything new to this? Not as such, it's been known for years and was e.g. discussed in August of 2005 on full disclosure mailing lists.

One would assume open discussion of such a function where it's being labeled as potentially evil would cause security conscious developers to take note of such a dangerous function and severely limit it's possibilities, or better yet to get rid of it altogether.

Yet there seems to have been no such luck. Worse, there seems to have been renewed attention form those using the dark side as evidenced by these recent reactions:

MSIE 7: CVE-2007-1091 (mitre) or CVE-2007-1091 (nist)
"Microsoft Internet Explorer 7 allows remote attackers to prevent users from leaving a site, spoof the address bar, and conduct phishing and other attacks via onUnload Javascript handlers. "

We've henve updated the table tracking the known vulnerabilities in Microsoft products.
Firefox: US-CERT Vulnerability Note VU#393921
"Mozilla Firefox fails to properly handle JavaScript onUnload events. Specifically, Firefox may not correctly handle freed data structures modified in the onUnload event handler possibly leading to memory corruption. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user."
Firefox seems to have fixed it in versions 2.0.0.2 and 1.5.0.10
Personally I've a hard time to see how supporting onUnload() matches with statements such as:
"Put safety first.
Robust new Internet Explorer 7 architecture and improved security features help protect you against malicious software, and help to keep your personal data safe from fraudulent websites and online phishing scams." (taken from http://www.microsoft.com/windows/products/winfamily/ie/default.mspx )
Firefox has a "security is important" statement just as well.

Best course of action: disable scripting, but most of you can't or don't want to do that. The second best alternative might be to use extensions such as NoScript in Firefox that allows more selective control of who gets to do remote code execution in your browser. Yes that's what allowing java, VBscript and javascript basically is: allowing random websites to hand your browser code to execute ...

--
Swa Frantzen -- NET2S
Keywords:
0 comment(s)

It's 10 p.m. Do you know where your children are?

Published: 2007-02-26
Last Updated: 2007-02-26 22:30:28 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
Some of you may or may not  remember that question.  It started in the 60s and was asked right before the nightly 10pm news.    Many parents are now very aware of the need to know where their children are and would answer without hesitation.  We have learned the importance of knowing where our children are and who they are with.  However, many times, parents fail to realize that even though their kids are physically at home, they may be socializing with others on the internet and the parents do not even know it.

Being a parent, one of my kids wanted to get one of the latest toys that seems to be the rage right now.  Some of you may or may not already have had the grand priviliage of buying one of these. They are called "Webkinz". You buy a pet that looks like a beanie baby and with this pet comes a code. When your child visits the Webkinz website, they register and the code lets them adopt their pet in a virtual world.   I had spoken to another mother about the them and she was telling me how great they were and how nice it was for her daughter to be able to be on the internet and in a safe environment.

So, I get my kids one of these new toys and I told them I wanted to check the site out first.  I register one of my kids and it asked me for a first name, birthdate, city and state.  Then it asks for a username (and reminds kids NOT to use their real name).  It also asks that kids under 9 have an adult help them.  Now I'm in Webkinz world.  Your child has to take care of their pet and earn "Webkinz cash" to do this.   I explored the site in detail.  I did find one area that disturbed me.  My 6 year old knew the feature was there and was looking for it.  There is a "phone" on the website that you can power on.  This phone is a special chat utility that lists your friends and allows you to talk with them.  That bothered me, so I started looking at it closer.  With the phone, you can add your friends if you know their user name.  Not too bad at this point.  Then I decided to play in the "tournament arena" area.  You wait till an opponent has been found and then you are ready to play.  My child is 6 and I'm not a terrible game player, but I got killed at this particular mindless game.  Immediately after losing a request appeared from the person I was playing asking to be added to my child's "friends" list.    After some research, I found the chats are restricted on what can be entered in them and this one appears to be well thought out. 

My thoughts immediately went back to my friend who thought her daughter was on a "safe" site.  When I asked her about the chat capability, she had NO idea it was there.  She had logged on with her child, but did not know the extent of the website and its capabilities.  As parents, we can no longer assume something is safe on the internet.  Our kids are taught to never talk to a stranger in person, but most of them don't see the harm via the internet.  In this case, the parent didn't even realize it was a possibility.  It took me a full day to explore all the options on this website.

Please understand, that I am NOT bashing Webkinz.  My kids love the site, but now they have limits.  I have their user names and passwords and I can log on and check if they have added any "friends".  They are not allowed to do so without permission.  They are also not allowed to chat with any users they do not know nor accept any invitation to be added to a "friends" list. 

Times have really changed and instead of just having to worrying about where your kids are physically and who they are talking to, parents now have to be concerned about where they are in cyber world and who they are talking to.  We can't afford to make the assumption the sites they are visiting are safe.   The internet never closes.  Maybe the original question needs to be modified to say:  "Its 10 P.M.  Do you know where your children are both physically and on the internet?"
Keywords:
0 comment(s)
Diary Archives