When HTML Attacks!
- By Scott Bekker
Who knows what evil lurks in the heart of HTML? Carnegie Mellon University knows. Carnegie Mellon's CERT Coordination Center has issued an advisory on malicious HTML found around the web.
The advisory, "Malicious HTML Tags Embedded in Client Web Requests", details how Internet users can damage browsers and web servers by inserting certain tags into forms posted on the internet.
CERT (www.cert.org) makes a few suggestions for users and IT administrators wishing to avoid damage by malicious tags. First, users should avoid what CERT terms "promiscuous browsing", browsing with the assumption that all sites are benign. Instead, external URLs should be typed into the line, rather than clicked through. In addition, scripting languages in browsers should be disabled, and turned on only when a user specifically wants to see a script.
CERT, which doesn’t stand for anything, is a research unit of Carnegie Mellon University dedicated to studying computer security. It was founded in 1988 in reaction to the Morris worm, an attempt at distributed computing that crippled the Internet.
More instances of malicious HTML and security suggestions can be found in the full text of the advisory at http://www.cert.org/faq/cert_faq.html. -- Christopher McConnell
Scott Bekker is editor in chief of Redmond Channel Partner magazine.