Stan Beer
Thursday, 15 June 2006 15:09
Business IT -
Security
The world's 200 million or so Yahoo email users can breathe a little easier today because the global internet company says it has plugged a potentially dangerous hole in its system that allowed a dangerous JavaScript worm to infect email users' computers.
The vulnerability enabled the worm, called Yamanner to infect a
computer and proliferate via its email address book to other Yahoo Mail
users merely by opening the email message.
Yamanner exploits a vulnerability that enables scripts embedded in HTML
e-mails to be run by the user's browser. Yahoo Mail normally blocks
JavaScript programs but there was one script it allowed which concerned
uploading images in emails to the server. Yamanner substituted its own
JavaScript code for the image handling script.
The Yahoo Mail vulnerability and its relation to JavaScript has raised
the issue over security related to the provision of web services that
use JavaScript.
Yahoo, Google and other companies have already released products to the
market based on the current web services technology flavour of the
month AJAX (Asynchronous JavaScript And XML). Google Calendar and
Google Spreadsheet are the latest examples. More such online web
services are in the pipeline. According to a report in Information
Week, the proliferation of AJAX in online applications could provide
fertile ground for hackers because a JavaScript application is very
difficult to protect.
For users interested in downloading the plethora of free online
applications now on offer from internet companies, the news that many
the applications may not be safe will be discomforting. The Yahoo
incident demonstrated that it is possible for hackers to replace a
resident JavaScript program with another malicious JavaScript program
which in turn can launch a rogue website. If nothing else, this could
well put a significant kink in the best laid plans of the providers of
web services.