This post was published 5 years 5 months 21 days ago. Therefore, it may well be out of date. Do not reply on the contents of this post being accurate. Regular listeners of Steve Gibson’s Security Now podcast will be fully aware of this, however, it’s worth sharing for those who aren’t.
In episode 52 Steve and Leo discuss this new discovery made by SPI Labs. I really recommend you check out the podcast (or the transcript, or Leo’s page on TWiT.tv).
In summary, allowing your browser to execute JavaScript can be very dangerous. Stats show that circa 90% of all web users have this functionality turned on. This is great for safe sites as client-side scripting allows for a more dynamic web experience, however, it also poses a risk — and a very serious risk as demonstrated by SPI Labs.
SPI Labs have a proof of concept that shows that it is possible that while you are reading a web page JavaScript code can be downloaded and executed by your web browser (full info). It can scan your entire home network, detect and determine your Linksys router model number, and then send commands to the router to turn on wireless networking and turn off all encryption (NB. the proof of concept doesn’t actually do this but shows that it could be done).
Very nasty indeed!!!
Useful links to avoid this potential risk:
Microsoft – how to add sites to your trusted zone
Firefox – NoScript plugin to allow executable content only for trusted domains of your choice, e.g. your home-banking web site.
