Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
New Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 

 

 
 

Clicking hyperlinks can cause virus attacks

Technology Tips by Burleson Consulting

I knew the someday, the day would come when it's no longer safe to click on a hyperlink.

I'm not talking about offensive content, either.  Now we have two dangers that threaten the whole web.  First, you cannot safety click a hyperlink without risking a Page Load attack, and second, you can no longer trust the instructions on legitimate web sites. 

If left uncorrected, these vulnerabilities could cause a worldwide panic. Well, maybe not a panic, but it could spell the early death of super-interactive web sites like maps.google.com that use asynchronous JavaScript (called AJAX).

Be careful what you click

Most folks don't know that you have to be very careful when clicking hyperlinks and that you can commit a felony just by loading some web pages.  It's a felony in the United States to click on a hyperlink that takes you to a child pornography web site, and it can be easy to do, especially when you are surfing in a bad neighborhood. 

For example, I get full activity feeds from the PC's in my company, and I once witnessed an employee surfing Lesbian porn with wild abandon, clicking the links so fast that they could have easily hopped into a kiddie porn site, triggering a visit by the FBI.

For those of us who don't visit bad neighborhoods, we never had to worry about surfing.  But that all changes when the simple act of clicking a hyperlink might launch a virus.

Web Surfing is now dangerous

There are two serious vulnerabilities  here, both of which make web surfing a potentially dangerous activity:

  • Page-Load attack - The article below says that JavaScript can be automatically invoked when your web browser renders the page.  This script can then do naughty things on your network.
     

  • Plant attack - Plant attacks involve planting malicious JavaScript into legitimate web sites.  This vulnerability has been discovered on many major web portals, and the hacker plants a JavaScript pop-up that redirects the trusting customers to a phishing page.

This is very frightening stuff, especially since people are now publishing step-by-step how-to guides for using hacker techniques.  If you have not already, take a minute to witness this actual database break-in, captured on video.  Let's take a closer look at how JavaScript is ruining our lives on the Internet.

The Page-Load attack

According to this article, hackers can put scripts inside their web pages that will automatically launch, easily infecting your PC or network with a malicious virus:

"The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said.

It will bypass security measures such as a firewall because it runs through the user's browser"

But if that were not bad enough, the article goes on to note that async JavaScript (AJAX) has vulnerabilities which can be exploited by a hacker.  Steve Karam, notes that you can be protected against this problem with spyware:

"Microsoft's ActiveX objects have long had the same issues, and anyone using Internet Explorer is highly susceptible to them. In fact, the only way to use AJAX on Internet Explorer is to use Microsoft's ActiveX objects that have been around for years.

If an internet user has a spyware program or virus scanner, it should pick up on malicious JavaScript such as this; thus, it is in the hands of the end user to protect themselves. Calling this a threat is like saying we should discontinue email use because it could contain viruses."
 

The Plant attack

I'm starting to think that JavaScript sucks.  It can be "planted" in legitimate web pages, even the giant secured sites like eBay and PayPal.  Worst of all, even checking the URL of the web site will not protect you.  This article notes that consumers were ripped off by a phishing scheme, even though they checked to ensure that they were on the actual PayPal web site.  Feeling safe, they following the instructions on the screen, one of which was a fake message, a malicious JavaScript that was planted in the PayPal web page by hackers:

"The page actually has a real PayPal URL, but hosts malicious code that presents a message warning members that their account had been compromised. It then redirects them to a "phishing" Web site."

From the article we see that many well-known and trusted web sites have been vulnerable to planted JavaScript:

"An attack could also lurk on a trusted Web site by exploiting a common flaw known as cross-site scripting. Big-name Web companies including Google, Microsoft and eBay have had to plug such holes.

Earlier this week AOL's Netscape.com fixed such a flaw that let apparent fans of rival Digg.com plant JavaScript on the Netscape Web site."

Wow, this is scary stuff.  Steve Karam notes that it's not only JavaScript:

"JavaScript, AJAX, all these are for the sake of progress, and they give us the possibility of an amazingly diverse Internet; however, with new progress also comes new problems...it will be up to the developers to fix these issues.

It's not just JavaScript.  I've seen people use holes in open source PHP programs to upload shell scripts and other things that can cause the same results."

The plant attack can be easily prevented by only using HTML in web pages, and if you choose to incorporate JavaScript or PHP, use an expert to harden your webserver.

 

If you like Oracle tuning, you may enjoy my new book "Oracle Tuning: The Definitive Reference", over 900 pages of BC's favorite tuning tips & scripts. 

You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.


 

 

��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster
 
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.