JAVA: new variation on a theme?

It seems that the idea of poisoning websites with Java scripts has taken a slightly new twist.

Quote:

---

Attackers have taken advantage of JavaScript before, but usually on individual sites. The search engine trick — which has been focused on Google, though it could work on Yahoo and MSN search engines — is new, Danchev says.

---

Apparently it works like this:

Quote:

---

The vulnerability occurs when someone does a Google search, then clicks on a result that has been secretly tainted by hackers. They will usually be taken to the Web page they expect. But at the same time, they are invisibly redirected to a computer server that installs a hidden program.

---

Article is here:

http://www.usatoday.com/tech/news/co...s_N.htm?csp=34

The worry here is that the targets seem to be large and reputable sites, that more security aware people would be tempted to allow in FireFox's "NoScipt" plugin, or put in the trusted zone of IE? :(

Still want to turn off UAC.....................assuming that would warn you?????

That almost sounds like a phishing issue: impostor sites loading malicious scripts.

Phishing taken to a new level?

edit -- Shane Macaulay got around UAC apparently running his javascript on Flash in Pwn2Own contest (I'm guessing UAC was enabled on that unit since that is the default). I suppose UAC is better than nothing, but I'd think the latest anti-phishing tech in a browser would be a good solution.

Maybe I am misunderstanding this brokencrow?

The way I read it is that reputable sites are being poisoned, so that when a search engine takes you there, you also make a connection to a hidden site that infects you?

You trust the site you want to visit, and are not aware of the "additional features" :eek:

I wonder how the code is getting in there though?

I see your point, nihil. When one visits any given website, one is
actually visiting a series of sites linked to that primary page. And
one of those linked sites is tainted. Ich verstehe.

How is the code getting in there? Google ads? :)

Why is the title of this JAVA:?

This is why I have JavaScript (and activeX, Java) disabled for all but my own sites.

Quote:

---

Why is the title of this JAVA:?

---

It isn't......................?????????????

:)

Obviously, if you are having problems with your browser, we would gladly try to help...................

Title of thread: JAVA: new variation on a theme?
Content of thread: JavaScript exploit

So? :)

On a related note, Google is now using javascript to add smells to webpages.

http://booksearch.blogspot.com/2008/...ls-better.html

Amazing, ain't it? :)