Security Now 221

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 221

Security Now 221: JavaScript: The Elephant In Your Browser

News & Errata

06:40 - 18:00

  • Firefox had an update last week which fixed:
    • A problem where a users form history could be stolen
    • A crash with recursive web-worker calls
    • A crash in Proxy Auto-configuration regular expression
    • A heap buffer overflow in the GIF color image map parser
    • A Chrome privilege escalation bug
    • A heap buffer overflow in string-to-number conversion
    • A cross-origin data theft through document.getselection problem
    • A download filename spoofing with RTL override problem
    • Memory safety bugs
    • Crashes with evidence of memory corruption
  • Firefox 3 will no longer be supported after January 2010

18:01 - 18:25

  • Opera has been updated to version 10.01

18:26 - 22:43

  • Scientists from Wake Forest University and the Pacific Northwest National Laboratory have created an army of digital ants and their superior officers, digital sergeants and sentinels, to search out viruses, worms and other malware.

25:15 - 27:50

  • Adobe updater installed a demo of 'Natural Reader' on Steve's computer without asking and with no apparent way of removing it

Spinrite Story

27:51 - 28:58 Martin (Unknown)

A listeners print server started acting funny and after rebooting it, it wouldnt boot into Windows. He ran Spinrite on it and it fixed the problem.

Javascript Security

30:00 - 01:18:20

30:00 - 43:53

35:20 - 43:54

  • Javascript security started in 1995 with early Netscape versions.
  • At that time there were two big concerns:
    • There was a worry that a malicious website might attack your computer.
    • There was also a concern one website could interact with another
  • John thinks the second concern is the most important one today
  • When websites get peices of code from lots of different website it puts them all together and they can interact with each other and call each others functions and look at the variables
  • So if you were able to compromise one of the scripts you could take over the whole website
  • If a script has been compromised and you are loading the website over HTTPS:
    • In Internet Explorer you are asked if you want to continue
    • In Firefox and Safari the page will not load

43:55 - 47:00

  • Due to the use of Javascript a Twitter exploit was made possible
  • JSON (JavaScript Object Notation) is an object which is written in JavaScript
  • The browser goes and downloads it so that some other piece of JavaScript can use it to display something on the screen
  • The JSON object isn't JavaScript code itself that you could actually look at.
  • So nobody should have been able to get it
  • But when it got loaded by our script tag, because it was actually JavaScript, it got loaded into the same context as any other JavaScript that was loaded.
  • Now it had no name, so you couldn't in the language go and poke at it and say give me the list.
  • So it looked like it was safe to do this.
  • But it turns out in JavaScript, because of its incredible flexibility they built in, it's possible to actually redefine the object constructor.
  • In an object-oriented system, you have something which says I'm making a new object, and at that point sets up memory and things like that.
  • Well, it turns out that JavaScript has this special thing called a "prototype."
  • And you can go into this prototype thing and actually redefine things which to many people they would think are inherently not changeable.
  • And one of the things you could redefine was what we call the "setter," which is the thing that actually sets the values that go into this object. * And what it was possible to do, if you redefined the setter for the global object, then when this Twitter status thing got loaded, even though it had no name and was essentially anonymous, it had to get constructed and set.
  • And in that moment you could grab its contents.

47:01 - 52:40

  • There is a way in JavaScript to completely contain your functions and variables, which is to use a closure.

52:41 - 01:05:34

  • There is a technology called ADsafe which is a way of statically examining a piece of JavaScript which you're going to use in an ad and enforcing certain security so it can't do lots of malicious things.
  • There is also Caja, which is again a safe subscript / subset of JavaScript.
  • Back in the Netscape 3.0 days there was talk about signing Javacript scripts but it hasn't gone anywhere
  • Another threat is where someone inserts their own Javascript into a page and then when people visit the page it executes in their browser
  • Javascripts sandbox has turned out to be pretty good

01:05:35 - 01:18:20

  • Steve and John recommend using NoScript in Firefox
  • Users clicks with a mouse and 'Javascript clicks' are seen as the same thing


Go To Assist


  • Astaro
  • Ad Time: 00:35-00:46 and 22:41-25:04


  • Audible
  • Ad Time: 01:03-01:12 and 01:05:35-01:08:26


More Information Than You Require by John Hodgman (Unabridged)
Narrated by John Hodgman, Dick Cavett, Jonathan Coulton, Zach Galifianakis, Ricky Gervais, Ira Glass, Robin Goldwasser, Rachel Maddow

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.