How It Came to

By Lisa Vaas  |  Posted 2007-04-02 Print this article Print

Be"> According to Fortifys paper, applications may be vulnerable if they use JavaScript as a data transfer format and if they handle confidential data.
Nobody knows if this vulnerability is currently being used to steal data. Thats because if somebody were using it for thievery, it would be undetectable, Chess said: "It very well could be being exploited right now and we wouldnt know it."
As far as how to fix it goes, Fortifys paper gets into the details. In many cases it would take as few as a dozen lines of code. Whats of added interest, Chess said, is how the vulnerability came to be in the first place. "Weve got Web 2.0/AJAX kind of guys who want to do things with browsers and HTML and … [they] really werent designed to do the work," he said. "[Theyre using] hacks and kludges to make things work. Sometimes that has unforeseen consequences. You get cobbled-together AJAX." Whats needed are standards and protocols and Web browsers that support them, Chess said. The teams at Microsoft and Mozilla that maintain IE and Firefox are where "the rubber hits the road," he said. "Once they agree somethings a standard, its a standard," he said. Theres a lot of people who try to influence them, but its really they we look to and take cues from." This vulnerability will likely further motivate standards setting bodies such as the IETF or the W3C, Chess said. Such organizations have often been where Microsofts and Mozillas people have come together to determine what will happen with standards and protocols. "I think this will further motivate them," Chess said. "Theyve known about problems in this neighborhood. … But I dont think theyve understood what a big deal their security decisions would be." Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel