US-CERT Cyber Security Tip ST04-012 -- Browsing Safely: Understanding Active Content and Cookies

[US-CERT Security Tips <security-tips@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                      Cyber Security Tip ST04-012

        Browsing Safely: Understanding Active Content and Cookies

   Many people browse the Internet without much thought to what is
   happening behind the scenes. Active content and cookies are common
   elements that may pose hidden risks when viewed in a browser or email
   client.

What is active content?

   To  increase  functionality  or  add  design embellishments, web sites
   often  rely  on  scripts that execute programs within the web browser.
   This  active  content  can be used to create "splash pages" or options
   like drop-down menus. Unfortunately, these scripts are often a way for
   attackers to download or execute malicious code on a user's computer.
     * JavaScript  -  JavaScript  is  just one of many web scripts (other
       examples  are  VBScript,  ECMAScript, and JScript) and is probably
       the most recognized. Used on almost every web site now, JavaScript
       and   other   scripts   are   popular  because  users  expect  the
       functionality  and  "look"  that  it  provides,  and  it's easy to
       incorporate  (many common software programs for building web sites
       have  the capability to add JavaScript features with little effort
       or  knowledge  required  of  the  user). However, because of these
       reasons,  attackers  can  manipulate  it  to their own purposes. A
       popular   type  of  attack  that  relies  on  JavaScript  involves
       redirecting  users  from  a legitimate web site to a malicious one
       that may download viruses or collect personal information.
     * Java  and  ActiveX  controls - Different from JavaScript, Java and
       ActiveX  controls are actual programs that reside on your computer
       or  can  be  downloaded  over  the  network  into your browser. If
       executed  by attackers, untrustworthy ActiveX controls may be able
       to  do  anything on your computer that you can do (such as running
       spyware  and  collecting personal information, connecting to other
       computers,  and  potentially  doing  other  damage).  Java applets
       usually  run  in  a  more  restricted  environment,  but  if  that
       environment  isn't  secure, then malicious Java applets may create
       opportunities for attack as well.

   JavaScript and other forms of active content are not always dangerous,
   but  they  are  common  tools  for  attackers.  You can prevent active
   content  from  running  in  most  browsers, but realize that the added
   security  may limit functionality and break features of some sites you
   visit.  Before  clicking  on  a  link  to  a web site that you are not
   familiar with or do not trust, take the precaution of disabling active
   content.

   These  same  risks  may  also apply to the email program you use. Many
   email  clients  use the same programs as web browsers to display HTML,
   so  vulnerabilities  that  affect  active  content like JavaScript and
   ActiveX  often  apply  to  email.  Viewing  messages as plain text may
   resolve this problem.

What are cookies?

   When  you  browse the Internet, information about your computer may be
   collected  and  stored.  This information might be general information
   about  your  computer  (such  as  IP  address,  the domain you used to
   connect  (e.g.,  .edu, .com, .net), and the type of browser you used).
   It  might also be more specific information about your browsing habits
   (such  as  the  last  time  you  visited a particular web site or your
   personal preferences for viewing that site).

   Cookies can be saved for varying lengths of time:
     * Session  cookies  - Session cookies store information only as long
       as  you're  using  the  browser;  once  you close the browser, the
       information  is  erased. The primary purpose of session cookies is
       to  help  with  navigation,  such  as by indicating whether or not
       you've already visited a particular page and retaining information
       about your preferences once you've visited a page.
     * Persistent  cookies  -  Persistent  cookies  are  stored  on  your
       computer  so  that  your  personal preferences can be retained. In
       most  browsers,  you can adjust the length of time that persistent
       cookies are stored. It is because of these cookies that your email
       address  appears  by  default when you open your Yahoo! or Hotmail
       email  account,  or  your  personalized home page appears when you
       visit  your  favorite online merchant. If an attacker gains access
       to  your  computer,  he  or  she  may  be  able to gather personal
       information about you through these files.

   To  increase  your  level of security, consider adjusting your privacy
   and  security  settings  to block or limit cookies in your web browser
   (see   Evaluating  Your  Web  Browser's  Security  Settings  for  more
   information).  To  make  sure  that  other  sites  are  not collecting
   personal  information about you without your knowledge, choose to only
   allow  cookies  for  the  web  site  you  are visiting; block or limit
   cookies  from  a  third-party. If you are using a public computer, you
   should  make  sure  that  cookies are disabled to prevent other people
   from accessing or using your personal information.
     _________________________________________________________________

     Author: Mindi McDowell
     _________________________________________________________________

     Produced 2004 by US-CERT, a government organization.

     Note: This tip was previously published and is being re-distributed 
     to increase awareness. 
  
     Terms of use
 
     <http://www.us-cert.gov/legal.html>
  
     This document can also be found at
 
     <http://www.us-cert.gov/cas/tips/ST04-012.html>
 

     For instructions on subscribing to or unsubscribing from this
     mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
     



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRnlsi+xOF3G+ig+rAQIZaAgAghpc907Wj5xEy6D8LAG1OncT1a+Q3IFq
mWJuZQamdo/dTrQ2xThQ4T0W4PjNTYp8uqz7HULI3/6//y2cItMyCPUedfFuWwBL
vzc3P3rliVJZvEYbN1iPCNVF3qOkpWgL7VQGHv8jTjzj+PtbUWEd7AdtJ6ya19MU
ZuN7Fi9V9x5n31Uw/VALGSSze04IxwTYpX6BQ5U6s0FpuJxGDboibuHNCmBIp4Ob
jJHdKXmFZ1rAscCp53evgxoNYvgDH8O/CK5LI/I6txTdiN1rt/rFp67RVpyXjJPm
L39RHmi155x1Scj1JMZD6vO3jwXGYCN5p+nREjuWct10Rt1ccedUpw==
=6Cki
-----END PGP SIGNATURE-----