Possible for Script to Deliver a Virus?

I've done some Googling on this, but can't find anything definitive looking
that isn't ancient.

The issue is whether the simple act of viewing an HTML page that contains
script or viewing an HTML Email message that contains script is (in and of
itself) enough to infect your machine with a virus.

I know that there were a few rather exotic methods used in the past to
exploit vulnerabilities of IE and/or Outlook/Outlook Express that required
only viewing to be infected, but even those weren't specifically delivered
by script were they? My understanding is that they used specially encoded
graphic objects or similar.

I know that script can do things that are irritating (spawn windows and
such) but I fail to see how they can actually do anything harmful to the
local system. Note that I am not talking about a script attachment that a
user might double-click. Only the script that would run just from viewing
the HTML content.

If it is true that this is possible, would one have to be running fairly
antiquated client software to be in danger?

TIA

In XP, if the user's security settings are set to low, and if the user
is an Administrator ... A HTML (or rather an HTA file HTML-look-
alike) can do about anything the author wants.

Rick Brandt said:
> I've done some Googling on this, but can't find anything definitive looking
> that isn't ancient.
>
> The issue is whether the simple act of viewing an HTML page that contains
> script or viewing an HTML Email message that contains script is (in and of
> itself) enough to infect your machine with a virus.
>
Yes it is.
But, most of these kind of security holes are fixed very quickly. If you keep
your software (browser, mail client, etc) up to date you should be relatively
safe. Or use a non windows OS, which while neither 100% is far far less likely
to be subject to the same invasive techniques used by the low lifes who
develop such attacks.

D.
--
Fermat was right.

gimme_this_gimme_that@yahoo.com said:
>
>In XP, if the user's security settings are set to low, and if the user
>is an Administrator ... A HTML (or rather an HTA file HTML-look-
>alike) can do about anything the author wants.

An HTA has to be executed from the local system.
If you can be talked into downloading a file and clicking on it,
then you're vulnerable to all sorts of things, most of which
have nothing to do with computers.


--

David Gillen wrote:
> Rick Brandt said:
> > I've done some Googling on this, but can't find anything definitive
> > looking that isn't ancient.
> >
> > The issue is whether the simple act of viewing an HTML page that
> > contains script or viewing an HTML Email message that contains
> > script is (in and of itself) enough to infect your machine with a
> > virus.
> >
> Yes it is.
> But, most of these kind of security holes are fixed very quickly. If
> you keep your software (browser, mail client, etc) up to date you
> should be relatively safe. Or use a non windows OS, which while
> neither 100% is far far less likely to be subject to the same
> invasive techniques used by the low lifes who develop such attacks.
>
> D.

Just to clarify though. Can anything you're describing be done with plain old
Javascript or does it require some sort of exotic exploit?

Rick Brandt wrote:

> David Gillen wrote:
>> Rick Brandt said:
>> > I've done some Googling on this, but can't find anything definitive
>> > looking that isn't ancient.
>> >
>> > The issue is whether the simple act of viewing an HTML page that
>> > contains script or viewing an HTML Email message that contains
>> > script is (in and of itself) enough to infect your machine with a
>> > virus.
>> >
>> Yes it is.
>> But, most of these kind of security holes are fixed very quickly. If
>> you keep your software (browser, mail client, etc) up to date you
>> should be relatively safe. Or use a non windows OS, which while
>> neither 100% is far far less likely to be subject to the same
>> invasive techniques used by the low lifes who develop such attacks.
>>
>> D.
>
> Just to clarify though. Can anything you're describing be done with plain
> old Javascript or does it require some sort of exotic exploit?

Hi,

A bit of both often: an exotic exploit using JS.
As with most bugs/securityholes, the problem was not obvious to the
developers: Bufferoverflows and such.

If you want to know about all details, I think Mozilla/FF have public
accessable bugtrackers with comments.
IE/M$ probably fix their stuff silently (if they fix it at all) with minimal
comments about the securityhole.

You can find more info and usefull links at developer.mozilla.org.

Hope that helps.

Regards,
Erwin Moller

It also depends on your interpretation of the term "virus".

In IE, with JavaScript, you can do all kinds of "not so nice stuff"...
fill the user's autocomplete with pr0n entries, submit pages silently,
initiate downloads, etc.

The main trick is, that most is relatively harmless.. unless you click
"Accept" when something pops up... but, JavaScript in IE, does have
access to the file system (if you allow it)... thus if you do manage
to comprimise the security settings in IE, with a crafted page, there
is a chance that you might be able to call the file system functions,
without the security checks in place. Its a big if, but.. it is there
waiting to be exploited, should someone get in that far.

In IE7, things are :"said" to be safer... but from my regular IE7
updates,... i'm not convinced yet... ;-)