How secure is google chrome and other questions

Using the latest google chrome on fully patched Windows XP with
javascript enabled and some standard plugins like shockwave and pdf
viewer, is it possible for a virus or malware to get onto a computer
just by visiting websites (without downloading anything) ?

Has anyone had this happen to them or know of it happening. If so
what was the virus or malware?

Using google chrome, does it ever download and execute native machine
code without me realising it - like maybe Active X controls or
something?

I use Norton Internet security and sometime it pops up a window that
says it has blocked something from attacking my computer. I also have
a router with a firewall. What kind of thing is it that Norton thinks
it has blocked and what could it do to my computer?

Why don't Linux machines need security software? Is it because not
many viruses are targetted at Linux or is Linux immune to the kind of
threats that I mentioned above that Norton thinks it blocked.?

Thanks in advance.

 

With Javascript running lots of attacks are possible.
One possibility is cross-site scripting (XSS).

 

I read the wikipedia article on this but I can't understand very much.

<quote>
Mallory crafts a URL to exploit the vulnerability, and sends Alice an
email, enticing her to click on a link for the URL under false
pretenses. This URL will point to Bob's website, but will contain
Mallory's malicious code, which the website will reflect.
Alice visits the URL provided by Mallory while logged into Bob's
website.
The malicious script embedded in the URL executes in Alice's browser,
as if it came directly from Bob's server (this is the actual XSS
vulnerability). The script can be used to send Alice's session cookie
to Mallory. Mallory can then use the session cookie to steal sensitive
information available to Alice (authentication credentials, billing
info, etc.) without Alice's knowledge.
<end quote>


A URL is something like http://bob.com right?

How can a URL "contain malicious code" or have a malicious script
embedded in it?

 

The question is whather or not it is possible, but rather the risk.

something, sure does that eh?

Remove Norton and let it do its thing. Then you will know. Does the denial
mess up your use of the machine?

[removed my response to the grammer above]

Both. Linux, evoled out of Unix which was, and still is, a multi user
system. So nasty natty needed to be restrained from messing up other users
files, or the operating system files.

Ms Windows is attacked because, mostly, it is the biggest bang for the buck.

Sony, the company that claims to take security seriously, was hacked to the
tune of millions of users data going to the third party.

A virus on Linux can only really mess up the home/user directory which is
not a heck of alot of use to someone who wants to steal ones idenity or take
over ones PC for bot use.

History plays a part in all of this. Ms Windows was born into it has to work
now for $. Unix came from a "real" world situation. Ms Windows has been
handicapped as a result.

 

Hold it right there. Alice fell down a rabbit hole. She was wise enuff never
to click on a link from someone she did not trust, yet alone know.

Keep going nospam. You are on a learning curve.


http://en.wikipedia.org/wiki/Phil_Zimmermann

He once said that it was about whom does one trust.

 

No viruses (or very few) are targetted at Linux. To some extent the way
that Linux works makes it harder to get control of the machine, but
that's not an absolute. I believe that most attacks these days that are
more than a nuisance value are 'social engineering' ones where the user
is persuaded to run a progam which gives the attacker control. A bit
like the Irish Virus: http://www.avolites.com/jokes/irishvirus.htm

Cheers,

Cliff

 

The URL given above is actually short for something like
http://bob.com/index.html usually. However the 'index.html' may be
substituted by 'index.php' which is a script. Or maybe 'index.cgi'.

Cheers,

Cliff

 

Malicious Javasript can be injected into big-name websites that have
no intent to be malicious. It can be come embedded in public-editable
sections of pages, such as the now ubiquitous "comments" section.
Websites should guard against such injection, but not all of them do.
Once the page has been displayed the Javascript has been executed.
You may then have become victim to a drive-by download or, similar.

 

All Google stuff is Spyware, did you not know that..?


Use Opera as it does not come from the Evil US.

 

And where is the script located? Is it embedded in the URL?

 

Nope. You ask for http://bob.com. The server serves the 'default page'
which can be pretty much anything but mostly starts with 'index.'.

So you request http://bob.com and the server translates that request to
http://bob.com/index.php and runs the script index.php and returns the
result to you as HTML.

I just realised that I might have given the wrong impression above.
Running the script as I've described is server side and won't in itself
cause you problems. However, things like JavaScript, which run on YOUR
machine and get served along with the page might do something malicious.

Cheers,

Cliff

 

ok, in that case the example on Wikipedia is badly written because it
uses the term URL when it appears to mean "web page". Here it is
again

<quote>
Mallory crafts a URL to exploit the vulnerability, and sends Alice an
email, enticing her to click on a link for the URL under false
pretenses. This URL will point to Bob's website, but will contain
Mallory's malicious code, which the website will reflect.
Alice visits the URL provided by Mallory while logged into Bob's
website.
The malicious script embedded in the URL executes in Alice's browser,
as if it came directly from Bob's server (this is the actual XSS
vulnerability). The script can be used to send Alice's session cookie
to Mallory. Mallory can then use the session cookie to steal sensitive
information available to Alice (authentication credentials, billing
info, etc.) without Alice's knowledge.
<end quote>

So how does Mallory get his malicious script into a Web page served up
by Bob's website?

 

After reading some of the Wikipedia article again I think the
malicious script actually is in the URL that Alice clicks on. i.e.
it's not a simple URL like http://bob.com but rather it's a long
complicated URL like when user form data is being submitted e.g. this
(not quite real)

http://www.bob.com/#hl=en&sugexp=gs...=0&aqi=&aql=f&oq=xss&pbx=1/script=alert'hello'

<quote>
The non-persistent (or reflected) cross-site scripting vulnerability
is by far the most common type.[10] These holes show up when the data
provided by a web client, most commonly in HTTP query parameters or in
HTML form submissions, is used immediately by server-side scripts to
generate a page of results for that user, without properly sanitizing
the request.[11]
Because HTML documents have a flat, serial structure that mixes
control statements, formatting, and the actual content, any
non-validated user-supplied data included in the resulting page
without proper HTML encoding, may lead to markup injection.[10][11] A
classic example of a potential vector is a site search engine: if one
searches for a string, the search string will typically be redisplayed
verbatim on the result page to indicate what was searched for. If this
response does not properly escape or reject HTML control characters, a
cross-site scripting flaw will ensue
<end quote>

 

As far as I know, Google chrome won't download and save a file unless
I explicitly give permission. It should be easy for a browser to
prevent javascript from placing a virus or malware on my computer or
doing anything to my computer.

 

You probably need to re-read what he said. Perhaps "upload" would have
been a better word?

Short of it is, he's talking about Javascript - which runs locally on
your computer. If you run Windows XP, then you are proabably (by
default unless you've changed it) an administrator. So the Javascript
is running in the same privilege.

So say for example a hacker manages to cause your banking website to
(effectively) include their malicious Javascript - and thereby get
("drive-by download") your details.

 

I'd didn't explain that well at all. I started going down two roads.
One is cross-site scripting (my example), the other is running
Javascpript external to the browser on XP (outside the sandbox). I
don't think IE8 allows it. IE7 probably doesn't either.

 

You probably need to google "drive by download"

That's not a drive by download.

 

And as said, I don't think that's what he really meant (I don't think
it's the right term).

 

I don't think you know enough to make any comment at all, let alone
judge what someone else meant. In any case, I was quoting you, not
him.