Javascript hiding everywhere.
Frequent readers will know that we often recommend to ease up on allowing scripting as it's used by the bad guys. XSS bugs are basically so bad, not for the example <sc ript>alert('XSS')</sc ript> (spaces added for the overly paranoid web content filters) you might see, but for much nastier things starting with capturing your cookies (read credentials, session keys etc.). Keyloggers aren't impossible either and making you unknowingly upload files from your hard disk to malicious websites etc. is all quite possible in javascript.
And if you supposed it stops in your browser seeing javascript in HTML pages themselves, think again:
Quicktime
Apple software designers/coders must have thought it a cool idea to allow javascript inside a quicktime movie. Yep, a movie isn't just some moving images, but it can be just as well contain (malicious) code that will be executed by the movie viewer that gets embedded in the pages you show. Didier Stevens has a blog entry about it, explaining it in detail.
Flash
If you use flash, you already have cookies not just in your browser, but also in your flash player. You can see the settings of the flash player's use of such storage here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html . Do take care fiddling with your settings, you can easily make flash not working all that well anymore if you do it a bit too much (speaking from experience here). That settings pane/web page doesn't seem to mention to the casual user that flash also supports javascript, nor that it has already been hit by XSS issues in the past: e.g. this August 2002 article is about one such problem.
Unfortunately PDF files aren't safe from allowing javascript and have had their share of problems with it as well.
MP3
Contains just music, right? Well many will be copyright lawsuits waiting to happen if you let the music industry, but yep they too can contain scripting. Granted you might need quicktime installed to get to it, but most iPod owners will have iTunes and that comes with Quicktime bundled into it ...
...
Unfortunately there are many more formats that allow remote code execution by allowing scripting or extensive macro languages.
If there's a lesson to be learned, it might well be that you need to continue to look out for scripting languages, cookies and more even hidden in places you might not expect them to creep into.
If you have good workable solutions to prevent scripting in all these media rich formats, let us know.
UPDATE:
I thought I had mentioned NoScript, but I seem to have managed to erase it during the final editing. That left the door open for getting a note from Giorgio about his plans with NoScript:
"NoScript - optionally blocks Flash and any other plugin content originated by non-whitelisted sites, just like it does with JavaScript. It's a bit more drastic than "blocking JavaScript inside", but fairly more secure (buffer overflows in media content parsing anyone?).
Also, the blocked object display area, if any, is replaced with a clickable placeholder: if you click it you're prompted you for convenient/hazardous on-the-fly temporary unblocking.
http://noscript.net/features#contentblocking"
MORE UPDATES:
Dan wrote in worried about javascript obfuscation that might be used inside these file formats. While attackers typically are lazy, they might well get to it at a point in the future if and when defenses and analysis evolves to easily detect this.
We've been pointed out where most of these exploits are available, but as a matter of policy, I don't point to exploits, nor do I try to give fame to those creating exploits. If you really need to e.g. create a signature, I'd suggest some light google-fu. The core of the message is to try to teach people not who exploited it first an how to replicate that, but that there is a problem with allowing javascript to be used in media rich content and (hopefully) point at some solutions to that problem.
--
Swa Frantzen -- NET2S
Comments