JavaScript is the scapegoat for many of the Web's problems, including pop-ups, pop-unders and other much-maligned browser behaviors. The language's reputation also has been sullied by malware, such as the infamous Nimda worm, that uses it to spread through the Web.
The truth, however, is that JavaScript is not to blame. JavaScript takes the fall because many people do not understand the relationship between the language and its implementation.
History of JavaScript
Despite their confusingly similar names, JavaScript was developed separately from Java. The scripting language debuted as part of the Netscape Navigator 2.0 browser. After Navigator 3.0 was released, Netscape submitted a draft standard of JavaScript to the European Computer Manufacturer's Association (ECMA).
Adopted as a standard by ECMA, the language's official title is actually ECMAScript, though Netscape continued to call its implementation JavaScript, and Microsoft  refers to its own version as JScript. The end result is that great confusion abounds when people talk about vulnerabilities related to JavaScript.
Understanding JavaScript
Mitchell Stoltz, lead security engineer for Netscape, pointed out that there is a difference between the JavaScript language and its implementation. "JavaScript is basically a programming language like C++," he told NewsFactor. "When many people talk about JavaScript in a browser context, what they're really talking about is the DOM (Document Object Model), a series of interfaces for manipulating the contents of a Web page." DOM is a World Wide Web Consortium (W3C) specification that provides an interface to let programs or scripts manipulate documents dynamically.
Stoltz said users should blame faulty programs, not the language itself, when a problem arises. "You're talking about vulnerabilities in a browser or mail client implementation, exposed through JavaScript," he noted. "JavaScript is not to blame; it's the browser implementation that the JavaScript controls."
In other words, JavaScript cannot do anything that an application does not allow it to do.
Where JavaScript Threatens
That is not to say users should be unconcerned about Web pages that contain JavaScript. Joe Hartmann, a virus expert with Trend Micro, told NewsFactor that JavaScript was an essential ingredient used in spreading the Nimda worm. "When you got infected with Nimda, the virus would search for Web servers and try to insert malicious JavaScript lines of code into existing ... pages," Hartmann said. In this way, Nimda would set the stage for replication. "It was just one to two lines [that] caused vulnerable (unpatched) browsers to automatically execute infected .eml files. As a result, people got infected with Nimda by browsing infected Web sites." (continued...)
|
Five Touch Points With SugarCRM - Extend the Value of Your CRM System
PC Shipments Rose Faster Than Expected
Better Computer Chips Raise Laptops' Abilities
Review: Epson PP-100 Discproducer Does Double Duty