"Malicious software scripts that can be posted to a Web site without the operator's
CERT puts out malicious scripts alert
By Ann Harrison, Computerworld
February 2, 2000 3:55 pm PT
SEVERAL COMPUTER security organizations on Wednesday issued a joint warning about the spread of malicious software
scripts that can be posted to a Web site without the operator's knowledge.
The programs are being distributed via special links embedded on sites, according to an advisory issued by the
Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, in Pittsburgh. They can allow a
site to send bad data, unwanted pictures, or scripts that may compromise security or capture sensitive information such as
user's passwords. And they can do those things without a company being aware that its site is posing security risks to others.
says Web developers and users should be aware that the scripts can be used to expose restricted parts of an organization's
local networks, such as their intranets, to attackers from the Internet.
"We haven't had any direct reports to CERT
because it would be difficult to detect," said Bill Pollack, team leader for technical communication at CERT. "But we've been
working to understand the problem and give people information as a proactive measure to mitigate the risk."
Defense Department's Joint Task Force for Computer Network Defense, the Federal Computer Incident Response Capability, and
the National Infrastructure Protection Center (NIPC) joined CERT in issuing Wednesday's warning.
The advisory notes
that potential attackers can exploit flaws in the way data enters and leaves a Web site and it urges that data be validated
to ensure that no "unintended" characters are sent back to the client.
This is a relatively unusual warning from CERT,
which generally focuses on distributing information about widely known security vulnerabilities.
CERT has posted two
documents describing short-term solutions. The first document, "Understanding Malicious Content Mitigation for Web Developers",
provides a technical overview of the problem and describes steps that Web developers can take to protect their Web pages from
being used by developers of malicious scripts.
These steps include re-coding dynamically generated Web pages to validate
output so data can be filtered before the page goes to a user's browser. Web developers can also filter incoming data that
dynamically generates content, including Web addresses, elements from forms, cookies, and database queries.
document, "FAQ [frequently asked questions] About Malicious Web Scripts Redirected by Web Sites", provides information for
general Web users. It includes step-by-step instructions for shutting off options in the Web browser that allow malicious
"While the short-term solutions may not
be optimal, they are steps that Web-page developers and Web users can take immediately if they wish to protect their Web pages
and themselves," according to the advisory. CERT is working with technology vendors on more comprehensive long-term solutions.
For more enterprise computing news, go to www.computerworld.com. Copyright (c) 2000 Computerworld Inc. All rights reserved.
RUN TESTS FOR MALICIOUS SCRIPTS/CODE