Malicious programs that are installed via HTML.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
AIUI, it was not all that long ago when the threat to personal users,
was attachments that when executed compromised machines with keyloggers,
trojans, etc.

Now it seems that the big problem is reading a webpage or an HTML e-mail
and getting affected through the scripting.  My understanding is that
the script downloads the malicious program from the web and sets it to
run on start up through the start-up folder or in the registry.

I don't know much about this; can someone suggest a good web site to
start learning a bit more about these threats.  I have googled, but I am
not quire sure of the best search terms, and since there is so much
information out there, a site that experienced people endorse would be a
lot of help.


Re: Malicious programs that are installed via HTML.

Lew wrote:
Quoted text here. Click to load it

Scripting is one method of code injection to the local host.  When code
runs on the local machine there is the potential of compromise to the
local host.  To date there are no scripting languages I am aware of for
webpages where an exploit has not existed at one time or another.

Some vulnerabilities do not even require scripts to run, for example the
recent WMF vulnerability can execute on viewing the graphic.  Another
method uses mime to compromise the mail host.

There is a worm (Nyxem_e) currently making the rounds that executes in
MIME (mail) format, no clicking or graphics required.

Every plug-in (such as macromedia, quicktime, media player etc) allows
more code types to run within the browser, thereby expanding exploit

Some methods to compromise a system require a series of code to run to
break down the system defenses, these are layered threats and have a
much higher probability of evading antivirus or other defenses.

I know of no single site that defines all of the methods that might be
used to access/compromise a system.  New methods are seen almost daily.

Understanding that running any untrusted code on the local machine opens
the exploit window.  Allowing some code varieties (activeX comes to
mind) is more dangerous (generally) than, for example, java scripting.

Email clients that allow code to run within the email when opened
(outlook express) is "generally" more dangerous than clients which do
not run scripts.

Typically I do not run scripts of any sort in my browser unless the site
I am visiting requires scripts and my need is greater than my concern
for security, in which case I allow only the activity required for the
site in question and turn off scripting functionalities once they are no
longer required.  Just because the script is being run from, for example
Yahoo, does not mean the code is safe to run.  Trust no one.

Downloading files from the net and installing programs be it games
toolbars or other code is extremely dangerous unless you are sure of the
code source.

Some very good reading can be found in the SANS reading room.  SANS does
a reasonable job keeping abreast of the compromise de' jour (handlers
diary).  The SANS site is: (note link to reading
room on top menu on page)

Looking at vulnerabilities in commercial/production software I
frequently use /

Both these sites support RSS which is useful to stay appraised of
on-going threats on a regular basis. has a number of topics that are good reading.  While
this is not generally considered a "computer" site, they have a number
of articles and papers that address various threats.

This is a start, I am curious to see other folks advice on your
question.  I hope to find a good single answer.


Re: Malicious programs that are installed via HTML.

Quoted text here. Click to load it
I've been blocking all active scripting in IE for about 7 years now along w/
cookies.  Most prople won't do that because they can't view certain sites.
That has prevented pop ups, worms and probably a host of other things.  I
don't even have an anti virus running.

Re: Malicious programs that are installed via HTML.

You use IE?
 If you're worried about security get firefox.

Re: Malicious programs that are installed via HTML.

Lars wrote:
Quoted text here. Click to load it

In Fx use the "NoScript" and "adblock" extensions.

If you want to keep with IE use Eric Howes "Enough is Enough". It locks down the
Internet zone and makes it easy to add to the trusted zone. Yes, you could do
the lock-down with Registry Edits and the zone maint with MS POWERTWEEK. This
batch file makes life a lot easier.


Dave Keays

Re: Malicious programs that are installed via HTML.

Quoted text here. Click to load it
I'm not worried at all.

Re: Malicious programs that are installed via HTML.

Lew wrote:
Quoted text here. Click to load it

for a start. know html. then the road (long for some)- if you've done
no programming - of learning a scripting language, then it'll be more
obvious. The script is not part of the HTML Language. But HTML provides
ways to embed a script into the HTML.  Those files whose extension is
.html contain HTML and can contain a Script, but the script isn't part
of the HTML, no matter waht that .html or .htm extension might suggest.

I never really messed with scripting much.  I think the stuff you're
talkign about might be more ActiveX.  I can't imagine javascript
downloading a file onto my comp, but I guess it's possible. Mabe an
exploit of it could.  I think ActiveX is the big real threat. Hence
internet explorer has the warnings and questions of whether you want to
downlaod the activex control. It never used to have that, and so there
were problems.

Site Timeline