Security

This Week’s Browser Fight: Will Security KO Speed?

Speed kills — ask any cop — and browser users are going to find that out very soon.

The browser wars heated up this week, with Microsoft’s launch of Internet Explorer 8, Google’s release of a new beta version of Chrome, and the debut ofMozilla’s Fennec, the mobile version of Firefox.

One of the main talking points for both Google and Mozilla has been JavaScript — how it makes their browsers faster. It also boosts ease of use and enables more rich internet applications (RIAs), some of the benefits of Web 2.0, the companies say.

Microsoft, on the other hand, is emphasizing IE8’s new security features. Security has been the bane of Internet Explorer in the past — and now, thanks to their penchant for Javascript, it may become the bane of Chrome and Firefox.

JavaScript is a scripting language used for client-side development of Web sites and to enable scripting access to objects within other applications. Scripting access is where the danger arises — it lets hackers use JavaScript and related technologies such as AJAX (Asynchronous JavaScript and XML) to launch cross-site scripting attacks.

Known as “XSS” within the industry, cross-site scripting attacks are among the top 10 Web 2.0 security threats for 2009, according to the Secure Enterprise 2.0 Forum.

A growing fear is that the increased speed of the new browsers that depend on heavier user of JavaScript will only make things easier for hackers.

JavaScript’s Benefits

JavaScript is woven throughout the Internet; it is one of the key technologies that made Web 2.0 possible. Businesses have jumped on Web 2.0 technologies due to their potential for providing a competitive edge.

For example, clothing and shoes retailer Karmaloop has built a community based on Web 2.0: It lets independent designers upload videos about their products, and it offers a Web television show, community forums and an invitation-only social network for trendsetters.

“With increased speed you get richer content,” Randy Abrams, director of technical education at antivirus software vendor ESET, told TechNewsWorld.

The Dark Side of JavaScript

Malicious hackers love JavaScript because it enables cross-site scripting attacks that let them take over users’ computers. In a stored cross-site scripting vulnerability, malicious code sent by an attacker is stored in the victim’s system and then displayed to other users, explains the Secure Enterprise 2.0 Forum.

Systems that let users input formatted content, such as HTML, are especially susceptible to cross-site scripting, the Forum says.

While faster browsers make it easier to render rich Internet content such as videos, rich content is often abused by hackers. For example, they post links to Web sites purporting to carry videos of celebrities, but those videos are actually malware.

“RIAs can be attractive for legitimate enterprises as well as the bad guys,” ESET’s Abrams said. “Going faster means you can get infected faster, and exploits will work faster.”

IE8 May Win Out

Although IE8’s security promise has already been marred to an extent — it was hacked the day before its official rollout — it may escape the potentially serious fallout from using JavaScript. One of the new features in Internet Explorer 8 is a cross-site scripting filter, which will help protect users and systems, Microsoft says.

Also, IE8 got a speed boost via a different technique, Peter Christy, an analyst at Internet Research Group, told TechNewsWorld.

“Instead of optimizing the performance of IE8 for JavaScript execution benchmarks, which is the easier thing to do, Microsoft found the most popular pages from the most popular sites and optimized it for those instead,” he explained. “Microsoft put a lot more time into more conventional rendering as opposed to speeding up script time.”

4 Comments

  • First off,

    "Speed kill — ask any cop"

    Speed doesn’t kill you. It is the sudden deceleration that does.

    (BTW. I find reports like "Speed was a factor in x % of accident" hilarious… in order for two objects to collide they cannot be a rest relative to each other, hence ‘speed’ is a necessary condition, hence _always_ a factor.

    "Security has been the bane of Internet Explorer in the past — and now, thanks to their penchant for Javascript, it may become the bane of Chrome and Firefox."

    How fast you process a java-script has no correlation on the number of bug such implementation has. I.E. is proof of that. One can be slow AND buggy.

    "ESET’s Abrams said. "Going faster means you can get infected faster, and exploits will work faster."

    Abrams is an idiot. Under the same retarded argument, one could suggest that faster CPU, bigger driver or any improvement in computing performance is dangerous because it would get you infected ‘faster’.

    One fallacy of this argument, is the unsubstantiated claim that such infection is inevitable, and that it is merely related to volume not quality.

    "One of the new features in Internet Explorer 8 is a cross-site scripting filter, which will help protect users and systems, Microsoft says."

    Firefox’s NoScript plugin, for instance has been available for quite a while, beside Firefox 3, wich has been out a while now, include some protection against XSS already….

    I love it when AM ateur journalist regurgitate Microsoft Cool-Aid whithout bothering with due diligence.

    What’s next ? an article about Microsoft newest invention: Tab-browsing!

  • WOW. What an truly unbelievable article. Did someone actually *approve* the publication of this crap?

    Fact checking FAIL.

    You know what? Faster processor speeds make it easier for malware writers too! Let’s all buy slower processors so those mean hackers can’t break into our computers!

    There are so many incorrect facts in this article, it’s not even worth trying to correct. The whole basis of the article is ridiculous.

    Here’s a more factual summary:

    * Faster Javascript performance benefits everyone

    * IE8 is way behind the competition with regards to Javascript speed improvements

    * Microsoft wishes IE8’s Javascript were faster

  • Speed kills? Are you insane? What are you suggesting slower JavaScript prevent cross site scripting?

    You clearly haven’t got a clue what your writing about.

    Your article has no basis in any technical facts whatsoever.

    SHAME ON YOU for writing this. And SHAME ON YOUR PUBLICATION for publishing such nonsense.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Security

How often do you receive an email that you suspect is fraudulent?
Loading ... Loading ...

Technewsworld Channels