How secure is google chrome and other questions

Discussion in 'NZ Computing' started by Guest, May 1, 2011.

  1. Guest

    Guest Guest

    Using the latest google chrome on fully patched Windows XP with
    javascript enabled and some standard plugins like shockwave and pdf
    viewer, is it possible for a virus or malware to get onto a computer
    just by visiting websites (without downloading anything) ?

    Has anyone had this happen to them or know of it happening. If so
    what was the virus or malware?

    Using google chrome, does it ever download and execute native machine
    code without me realising it - like maybe Active X controls or
    something?

    I use Norton Internet security and sometime it pops up a window that
    says it has blocked something from attacking my computer. I also have
    a router with a firewall. What kind of thing is it that Norton thinks
    it has blocked and what could it do to my computer?

    Why don't Linux machines need security software? Is it because not
    many viruses are targetted at Linux or is Linux immune to the kind of
    threats that I mentioned above that Norton thinks it blocked.?

    Thanks in advance.
     
    Guest, May 1, 2011
    #1
    1. Advertisements

  2. Guest

    Murray Symon Guest

    With Javascript running lots of attacks are possible.
    One possibility is cross-site scripting (XSS).
     
    Murray Symon, May 1, 2011
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    I read the wikipedia article on this but I can't understand very much.

    <quote>
    Mallory crafts a URL to exploit the vulnerability, and sends Alice an
    email, enticing her to click on a link for the URL under false
    pretenses. This URL will point to Bob's website, but will contain
    Mallory's malicious code, which the website will reflect.
    Alice visits the URL provided by Mallory while logged into Bob's
    website.
    The malicious script embedded in the URL executes in Alice's browser,
    as if it came directly from Bob's server (this is the actual XSS
    vulnerability). The script can be used to send Alice's session cookie
    to Mallory. Mallory can then use the session cookie to steal sensitive
    information available to Alice (authentication credentials, billing
    info, etc.) without Alice's knowledge.
    <end quote>


    A URL is something like http://bob.com right?

    How can a URL "contain malicious code" or have a malicious script
    embedded in it?
     
    Guest, May 1, 2011
    #3
  4. Guest

    Gordon Guest

    The question is whather or not it is possible, but rather the risk.
    something, sure does that eh?

    Remove Norton and let it do its thing. Then you will know. Does the denial
    mess up your use of the machine?

    [removed my response to the grammer above]

    Both. Linux, evoled out of Unix which was, and still is, a multi user
    system. So nasty natty needed to be restrained from messing up other users
    files, or the operating system files.

    Ms Windows is attacked because, mostly, it is the biggest bang for the buck.

    Sony, the company that claims to take security seriously, was hacked to the
    tune of millions of users data going to the third party.

    A virus on Linux can only really mess up the home/user directory which is
    not a heck of alot of use to someone who wants to steal ones idenity or take
    over ones PC for bot use.

    History plays a part in all of this. Ms Windows was born into it has to work
    now for $. Unix came from a "real" world situation. Ms Windows has been
    handicapped as a result.
     
    Gordon, May 1, 2011
    #4
  5. Guest

    Gordon Guest

    Hold it right there. Alice fell down a rabbit hole. She was wise enuff never
    to click on a link from someone she did not trust, yet alone know.

    Keep going nospam. You are on a learning curve.


    http://en.wikipedia.org/wiki/Phil_Zimmermann

    He once said that it was about whom does one trust.
     
    Gordon, May 1, 2011
    #5
  6. Guest

    Enkidu Guest

    No viruses (or very few) are targetted at Linux. To some extent the way
    that Linux works makes it harder to get control of the machine, but
    that's not an absolute. I believe that most attacks these days that are
    more than a nuisance value are 'social engineering' ones where the user
    is persuaded to run a progam which gives the attacker control. A bit
    like the Irish Virus: http://www.avolites.com/jokes/irishvirus.htm

    Cheers,

    Cliff
     
    Enkidu, May 1, 2011
    #6
  7. Guest

    Enkidu Guest

    The URL given above is actually short for something like
    http://bob.com/index.html usually. However the 'index.html' may be
    substituted by 'index.php' which is a script. Or maybe 'index.cgi'.

    Cheers,

    Cliff
     
    Enkidu, May 1, 2011
    #7
  8. Guest

    Murray Symon Guest

    Malicious Javasript can be injected into big-name websites that have
    no intent to be malicious. It can be come embedded in public-editable
    sections of pages, such as the now ubiquitous "comments" section.
    Websites should guard against such injection, but not all of them do.
    Once the page has been displayed the Javascript has been executed.
    You may then have become victim to a drive-by download or, similar.
     
    Murray Symon, May 1, 2011
    #8


  9. All Google stuff is Spyware, did you not know that..?


    Use Opera as it does not come from the Evil US.
     
    William Brown, May 1, 2011
    #9
  10. Guest

    Guest Guest

    And where is the script located? Is it embedded in the URL?
     
    Guest, May 1, 2011
    #10
  11. Guest

    Enkidu Guest

    Nope. You ask for http://bob.com. The server serves the 'default page'
    which can be pretty much anything but mostly starts with 'index.'.

    So you request http://bob.com and the server translates that request to
    http://bob.com/index.php and runs the script index.php and returns the
    result to you as HTML.

    I just realised that I might have given the wrong impression above.
    Running the script as I've described is server side and won't in itself
    cause you problems. However, things like JavaScript, which run on YOUR
    machine and get served along with the page might do something malicious.

    Cheers,

    Cliff
     
    Enkidu, May 1, 2011
    #11
  12. Guest

    Guest Guest


    ok, in that case the example on Wikipedia is badly written because it
    uses the term URL when it appears to mean "web page". Here it is
    again

    <quote>
    Mallory crafts a URL to exploit the vulnerability, and sends Alice an
    email, enticing her to click on a link for the URL under false
    pretenses. This URL will point to Bob's website, but will contain
    Mallory's malicious code, which the website will reflect.
    Alice visits the URL provided by Mallory while logged into Bob's
    website.
    The malicious script embedded in the URL executes in Alice's browser,
    as if it came directly from Bob's server (this is the actual XSS
    vulnerability). The script can be used to send Alice's session cookie
    to Mallory. Mallory can then use the session cookie to steal sensitive
    information available to Alice (authentication credentials, billing
    info, etc.) without Alice's knowledge.
    <end quote>

    So how does Mallory get his malicious script into a Web page served up
    by Bob's website?
     
    Guest, May 2, 2011
    #12
  13. Guest

    Guest Guest

    After reading some of the Wikipedia article again I think the
    malicious script actually is in the URL that Alice clicks on. i.e.
    it's not a simple URL like http://bob.com but rather it's a long
    complicated URL like when user form data is being submitted e.g. this
    (not quite real)

    http://www.bob.com/#hl=en&sugexp=gs...=0&aqi=&aql=f&oq=xss&pbx=1/script=alert'hello'

    <quote>
    The non-persistent (or reflected) cross-site scripting vulnerability
    is by far the most common type.[10] These holes show up when the data
    provided by a web client, most commonly in HTTP query parameters or in
    HTML form submissions, is used immediately by server-side scripts to
    generate a page of results for that user, without properly sanitizing
    the request.[11]
    Because HTML documents have a flat, serial structure that mixes
    control statements, formatting, and the actual content, any
    non-validated user-supplied data included in the resulting page
    without proper HTML encoding, may lead to markup injection.[10][11] A
    classic example of a potential vector is a site search engine: if one
    searches for a string, the search string will typically be redisplayed
    verbatim on the result page to indicate what was searched for. If this
    response does not properly escape or reject HTML control characters, a
    cross-site scripting flaw will ensue
    <end quote>
     
    Guest, May 2, 2011
    #13
  14. Guest

    Guest Guest

    As far as I know, Google chrome won't download and save a file unless
    I explicitly give permission. It should be easy for a browser to
    prevent javascript from placing a virus or malware on my computer or
    doing anything to my computer.
     
    Guest, May 3, 2011
    #14
  15. Guest

    Dave Doe Guest

    You probably need to re-read what he said. Perhaps "upload" would have
    been a better word?

    Short of it is, he's talking about Javascript - which runs locally on
    your computer. If you run Windows XP, then you are proabably (by
    default unless you've changed it) an administrator. So the Javascript
    is running in the same privilege.

    So say for example a hacker manages to cause your banking website to
    (effectively) include their malicious Javascript - and thereby get
    ("drive-by download") your details.
     
    Dave Doe, May 3, 2011
    #15
  16. Guest

    Dave Doe Guest

    I'd didn't explain that well at all. I started going down two roads.
    One is cross-site scripting (my example), the other is running
    Javascpript external to the browser on XP (outside the sandbox). I
    don't think IE8 allows it. IE7 probably doesn't either.
     
    Dave Doe, May 3, 2011
    #16
  17. Guest

    Guest Guest

    You probably need to google "drive by download"
    That's not a drive by download.
     
    Guest, May 3, 2011
    #17
  18. Guest

    Dave Doe Guest

    And as said, I don't think that's what he really meant (I don't think
    it's the right term).
     
    Dave Doe, May 3, 2011
    #18
  19. Guest

    Guest Guest

    I don't think you know enough to make any comment at all, let alone
    judge what someone else meant. In any case, I was quoting you, not
    him.
     
    Guest, May 3, 2011
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.