|
wecrookie
Occasionally has a life
Joined: Thu Apr 23, 2009 6:47 pm
Posts: 437
Location: Coalisland,N.Ireland
|
Thank you Dave  It's this sort of thing that brings me back time & time again,the willingness of peeps to take time time to help educate a n00b like me yours wecrookie 
_________________
Carpe Diem - Squeeze the day!
|
|
big_D
What's a life?
Joined: Thu Apr 23, 2009 8:25 pm
Posts: 10691
Location: Bramsche
|
No problem.
The more people who can understand some of these security problems, the safer the net is for everybody.
_________________
"Do you know what this is? Hmm? No, I can see you do not. You have that vacant look in your eyes, which says hold my head to your ear, you will hear the sea!" - Londo Molari
Executive Producer No Agenda Show 246
|
|
Nick
Spends far too much time on here
Joined: Thu Apr 23, 2009 11:36 pm
Posts: 3527
Location: Portsmouth
|
Yes primarily, although JavaScript is often used inappropriately too. _________________
|
|
big_D
What's a life?
Joined: Thu Apr 23, 2009 8:25 pm
Posts: 10691
Location: Bramsche
|
 Out of interest, Mozilla currently recommends that all users who haven't upgraded to version 3.0.16 or 3.5.6 of Firefox should immediately disable JavaScript in their browsers, until they are able to upgrade, as there are in-the-wild exploits, which affect unpatched versions - SeaMonkey pre 2.0.1 is also affected.
Likewise, Adobe currently recommend that all users disable JavaScript in Acrobat and Reader, until the quarterly update comes out in the middle of January (12th, I believe), as there are in-the-wild exploits for embedded JavaScript in PDF documents and they won't rush out a patch in the next couple of weeks (announced pre-Christmas). They argued that pushing out an emergency patch would mean that it would appear in the 1st or 2nd week of January anyway and that it would push the quarterly patch cycle back as well, so they decided to combine the emergency patch into the quarterly release - given the relatively short timescale, not an unreasonable decision, given that the quarterly patch will patch other vulnerabilities as well and another 3-7 days shouldn't make much difference; although, as a user and administrator, it is annoying that we are left hanging...
Similarly, Apple, Microsoft and Google have all been hit by JavaScript security bugs in the last 18 months, where the recommended action was to immediately disable JavaScript and wait for the next patch to come out.
Given that probably 90% of users won't hear about this, won't understand this or will ignore the advice, you are probably safe in assuming that JavaScript is running on the browser, although it is usually safer to double check - easiest way is to probably have a landing page which works without JavaScript and tells the user they should enable JavaScript to get the full benefit of the site and have a small JavaScript snippet that automatically redirects the user to the "real" landing page, which uses the full JavaScript facilities.
_________________
"Do you know what this is? Hmm? No, I can see you do not. You have that vacant look in your eyes, which says hold my head to your ear, you will hear the sea!" - Londo Molari
Executive Producer No Agenda Show 246
|
