CERT warns of malicious code on Web sites

February 4, 2000
Web posted at: 9:51 a.m. EDT (0951 GMT)

by Ann Harrison

(IDG) -- Several computer security organizations Wednesday issued a joint warning about the spread of malicious software scripts that can be posted to a Web site without the operator's knowledge.

The programs are being distributed via special links embedded on sites, according to an advisory issued by the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh. They can allow a site to send bad data, unwanted pictures or scripts that may compromise or capture sensitive information such as user's passwords. And they can do those things without a company being aware that its site is posing security risks to others.

CERT says Web developers and users should be aware that the scripts can be used to expose restricted parts of an organization's local networks, such as their intranets, to attackers from the Internet.

"We haven't had any direct reports to CERT because it would be difficult to detect," said Bill Pollack, team leader for technical communication at CERT. "But we've been working to understand the problem and give people information as a proactive measure to mitigate the risk."

The U.S. Defense Department's Joint Task Force for Computer Network Defense, the Federal Computer Incident Response Capability and the National Infrastructure Protection Center (NIPC) joined CERT in issuing today's warning.

The advisory notes that potential attackers can exploit flaws in the way data enters and leaves a Web site and it urges that data be validated to ensure that no "unintended" characters are sent back to the client.

This is a relatively unusual warning from CERT, which generally focuses on distributing information about widely known security vulnerabilities.

CERT has posted two documents describing short-term solutions. The first document, "Understanding Malicious Content Mitigation for Web Developers," provides a technical overview of the problem and describes steps that Web developers can take to protect their Web pages from being used by developers of malicious scripts.

These steps include recoding dynamically generated Web pages to validate output so data can be filtered before the page goes to a user's browser. Web developers can also filter incoming data that dynamically generates content, including Web addresses, elements from forms, cookies and database queries.

A second document, "FAQ (frequently asked questions) About Malicious Web Scripts Redirected by Web Sites," provides information for general Web users. It includes step-by-step instructions for shutting off options in the Web browser that allow malicious scripts to run. The steps include turning off Java, JavaScript and ActiveX.

"While the short-term solutions may not be optimal, they are steps that Web-page developers and Web users can take immediately if they wish to protect their Web pages and themselves," according to the advisory. CERT said it's working with technology vendors on more comprehensive long-term solutions.

Back To The Study