> >On Jan 25, 4:22 pm, Ed Jay <ed...@aes-intl.com> wrote:
> >> Beauregard T. Shagnasty scribed:

> >> >Ed Jay wrote:

> >> >> aoksi...@gmail.com scribed:

> >> >>> Ed Jay <ed...@aes-intl.com> wrote:
> >> >>>> aoksi...@gmail.com scribed:

> >> >>> For the people who accept new info here is one link to a direct
> >> >>> infection caused by JavaScript
> >> >>>http://groups.google.com/group/stopbadware/browse_thread/thread/5d418...
> >> >>> there are many more.

> >> >> New info? LMAO! The thread is about an infected WEB SITE, not a User's
> >> >> computer!!! :-))

> >> >I just read the stopbadware thread listed above, and it sure looks to me
> >> >as if it is about the hacking of web sites - *which in turn* - infect
> >> >the computers of visitors with inferior browsers and JavaScript enabled.

> >> That's not quite how I read it. I'd have said that errant js on hacked web
> >> sites can result in naughty files being downloaded, instead of the desired
> >> file, and when the naughty file is executed by the user, it may infect the
> >> user's computer. It is not the js that compromises the user's machine.
> >> --
> >> Ed Jay (remove 'M' to respond by email)

> >Please read this

> >http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5F...

> >and this

> >http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5F...

> >It more clearly states the issue.

> Thanks, but I'm not sure I understand. The citation says, and I paraphrase
> for brevity:

> >This malicious JavaScript is hosted on a Web site and runs when a user accesses the said Web site.

> Yup

> >This malicious JavaScript accesses the following URL to download files:

> Yup

> >It takes advantage of the following software vulnerabilities:
> ><snip> All ActiveX exploits

> ActiveX exploits... I understand the security issues with ActiveX

> >Upon successful exploit, the system is redirected to the following Web site to download a malicious file

> OK

> >It saves the downloaded files..

> OK

> >It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

> To my knowledge, the only way that js can execute a local file is either
> with user permission, or by exploiting security holes in either the browser
> (IE is infamous) or the ActiveX controls. Google 'javascript "execute local
> files"' for an explanation.

> I conclude that js isn't the problem, but poor browser design and those
> lovely ActiveX controls are (forgetting those who execute files they
> shouldn't). Hence, your original statement

> >One significant reason for disabling JavaScript when browsing the
> >Internet is that it is a definite security hazard to the user if they
> >have JavaScript enabled.  There is a lot of malicious code on web
> >sites that uses JavaScript to infect the user's computer with
> >malicious code.

> is true only if the user's system is already compromised.
> --
> Ed Jay (remove 'M' to respond by email)