COMMAND

    javascript

SYSTEMS AFFECTED

    Most of them including you

PROBLEM

    Several web  browsers support  the ability  to download JavaScript
    programs with an  HTML page and  execute them within  the browser.
    These programs  are typically  used to  interact with  the browser
    user  and  transmit  information  between  the browser and the Web
    server that provided the page.

    JavaScript programs  are executed  within the  security context of
    the  page  with  which  they   were  downloaded,  and  they   have
    restricted access to other resources within the browser.  Security
    flaws  exist  in  certain  Web  browsers  that  permit  JavaScript
    programs  to  monitor  a  user's  browser  activities  beyond  the
    security  context  of  the  page   with  which  the  program   was
    downloaded.  It may not be  obvious to the browser user that  such
    a program is  running, and it  may be difficult  or impossible for
    the  browser  user  to  determine  if  the program is transmitting
    information back to its web server.

    The vulnerability  can be  exploited even  if the  Web browser  is
    behind  a  firewall  (if  JavaScript  is  permitted  through   the
    firewall)  and  even  when   users  browse  "secure"   HTTPS-based
    documents.

    This  bug  allows  a  Web  designer  to  create  a page that, when
    visited by  Internet users,  would pop  up a  second small or even
    nearly invisible browser  window. That window,  which could be  as
    small as one pixel by one  pixel, would talk to the first  window,
    sending it everything that's  displayed in other browser  windows.
    In turn,  that information  could be  passed back  to the original
    page from which the JavaScript was downloaded.

    "That brand-new window, then, can  look at all of the  information
    in any  of the  other windows  that are  currently running,"  says
    Larry Rogers, a senior member  of CERT's technical staff. "It  can
    observe  URLs  of  visited  documents,  it  can  observe  any data
    interactively filled into a form, it can observe values of cookies
    and  password  fields,  it  can  observe  form password and cookie
    information  even  from  secure  HTTP  sites  and  documents.   So
    essentially it can look at anything the user types."

SOLUTION

    The best solution is to obtain a patch from your vendor or upgrade
    to a version that is not vulnerable to this problem. If a patch or
    upgrade is not available, or you cannot install it right away,  it
    is recommend disabling JavaScript until the fix is installed.

    "I think the important thing  for end-users to know at  this point
    is that,  at least  the way  it stands  right now,  whether you're
    using a 40-bit  or a 128-bit  browser, neither of  them can really
    protect  you  against  this  problem,"  reports  Vinod  Anapum,  a
    researcher at  Bell Labs  who originally  reported the  JavaScript
    vulnerability to  CERT's coordination  center. "The  safe thing to
    do is turn JavaScript off."

    Most of people should install latest Netscape or 3.4 supported  by
    vendor (or modified as SGI do).  Same goes for IE.