advertisement -- please support sponsors

bugs, gadgets, security:
the "crash" function

Question:

After seeing all the security holes introduced by Microsoft in ActiveX (like the web page that you could load up which would shutdown Windows 95), I became curious about the security of JavaScript.

Are there security problems associated with JavaScript also, or is Netscape more on the ball than Microsoft?

--Frank

Have you ever used an application and watched it crash? Of course you have. Usually, it means that you have lost your unsaved work and that you need to restart the program.

wild applications

When applications crash, the operating system is supposed to stop them before they can cause serious damage. When the operating system intervenes to stop wild applications, it usually let's the user know about it, giving a message such as "program error" or, for you real hackers, "core dumped." Windows 95 users, I am sure, are quite familiar with the following dialog:

Sometimes, however, crashed applications can succeed in causing damage before the operating system stops them. Like headless chickens in a china shop, wild applications sometimes corrupt the memory of other applications -- occasionally even the operating system itself -- and cause system-wide failure. If you've used a low-security operating system such as Windows 95, then I'm sure you know what I'm talking about -- the "cascading crash effect," where one application bombs and brings the entire computer down with it.

"So why," you're probably asking, "is the JavaScript Pro giving a lecture on operating system security?"

Background, I guess. I just wanted to make sure you understand the implications of the really cool JavaScript bug I discovered.

the mother of all JavaScript errors

As Inquiry.Com's acting JavaScript ProTM, I receive lots of interesting questions -- from people trying to do a lot of interesting things. One day, while I was researching an answer for one of our readers, I stumbled across a small security glitch in the Windows 95 version of Netscape Navigator 3.

The function shown below, called "crash," contains erroneous JavaScript code. When executed, it is supposed to cause a JavaScript error. However, on Netscape Navigator 3 for Windows 95, Windows 3.1, and Mac-OS, it brings down the whole browser!

function crash ()
{
	sharky = new Document ();
	sharky . URL = "http://sharky.crash.edu";
}

If you don't believe me, and if you are using one of the three browser versions mentioned above, click to see it for yourself.

I wouldn't exactly call this a major security flaw, but it is a security flaw none the less. Any scripting language that gives malicious scripters the opportunity to arbitrarily crash your browser should not be called "secure." The crash function demonstrates that in order for a scripting language to be secure -- as Netscape claims JavaScript is -- the implementation must also be secure.

the email bomb

Just to see how much fun I could have with the crash function, I wrote some email to my wife and included the script as an attachment. To give her a fighting chance, I gave the message the following subject line:

mail bomb -- don't touch

Of course, the subject line made the message irresistible, so she clicked on the message to read it.

This, of course, caused her browser to crash with a general protection fault.

Since general protection faults are familiar friends to Windows users, she was not at all surprised. Patiently, she restarted the browser and tried again -- only to end up with the same results.

I stood behind her, watching quietly over her shoulder, trying not to snicker.

After crashing and booting Netscape several more times, she decided to give up on the message and just delete it. But she couldn't do that, either, because in order to delete it she first had to select it -- which, of course, crashed her browser again.

When she finally called for my help (and threatened to make me sleep on the floor), I cheerfully disarmed the email bomb and saved my marriage once again. Although it had not caused serious damage, the "email virus" clearly indicated the existence of a security flaw in Netscape's implementation of JavaScript.

If we're going to develop web pages with executable content, the scripting language we use should not enable us to crash our guest's browsers. That's too much power in a scripting language. Fortunately, the people at Netscape think so too, and have fixed the bug in Netscape 4.

In the past, really clever hackers have exploited bugs like this in order to breach security mechanisms and gain access to restricted resources. <sarcasm>Wouldn't it be cool if JavaScript could be used to delete your hard drive!</sarcasm> :-)

Charlton Rose
May 1, 1995

"JavaScript Pro" is a trademark of inquiry.com.