News

When HTML Attacks!

Who knows what evil lurks in the heart of HTML? Carnegie Mellon University knows. Carnegie Mellon's CERT Coordination Center has issued an advisory on malicious HTML found around the web.

The advisory, "Malicious HTML Tags Embedded in Client Web Requests", details how Internet users can damage browsers and web servers by inserting certain tags into forms posted on the internet.

One example the advisory details is the posting of links on message boards. Users frequently reference other web pages during discussions on message boards and link to these sites. While it is possible to create a link simply by writing out the URL, if a user hand codes a link using the <A HREF=>tag, it is possible to embed malicious Javascripts into the tag. Despite the tag, the link will appear the same.

CERT (www.cert.org) makes a few suggestions for users and IT administrators wishing to avoid damage by malicious tags. First, users should avoid what CERT terms "promiscuous browsing", browsing with the assumption that all sites are benign. Instead, external URLs should be typed into the line, rather than clicked through. In addition, scripting languages in browsers should be disabled, and turned on only when a user specifically wants to see a script.

CERT, which doesn’t stand for anything, is a research unit of Carnegie Mellon University dedicated to studying computer security. It was founded in 1988 in reaction to the Morris worm, an attempt at distributed computing that crippled the Internet.

More instances of malicious HTML and security suggestions can be found in the full text of the advisory at http://www.cert.org/faq/cert_faq.html. -- Christopher McConnell

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.