Javascript to be next core malware language

The increasing sophistication of browsers is opening up new opportunities for hackers

The demand that the development of web 2.0 has placed on browsers to become more interactive and act as a portal rather than just a viewing platform is opening up new vulnerabilities to unsuspecting users, Itzik Kotler, team leader of the Security Operation Center at Radware, has warned.

As well as developing new signatures and analytics tools for Radware scanning software, Kotler also works on finding new classes of vulnerabilities before they appear in the wild.

One such security hole is in Javascript, which would allow a hacker to copy any file from a user's PC with little chance of detection – something many have considered to be impossible.

Koter demoed the hack, dubbed Jinx, to vnunet.com at this week's RSA security show in London. He showed how the process was done from within the browser itself, not by altering the browser binary, which can be detected by most anti-virus systems, but rather by adding plain HTML code into just one specific file.

According to Koter, this new class of attack will be attractive to cyber-criminals whose existing techniques are increasingly vulnerable to detection because the approach is cross platform and cross browser, allowing the hackers to access systems previously unavailable to them, such as Linux, Mac and mobile.

The problem stems from the fact that internet browsers have quickly moved from being passive text and picture viewers to essentially an operating system in their own right, through interactive services such as user-generated content, hosted applications, web mail and social networks.

"HTML is now like a batch file for everything," said Koter.

"It's only down to shaping and redirecting it from this intended purpose."

He concluded that, although these types of attack are not yet in the wild, security firms and browser developers need to ensure that the increased demand for a more flexible browser does not open the door to hackers.