Top experts warn of serious new Web surfing risk

WASHINGTON (AP) -- The nation's top computer experts warned Internet users Wednesday about a serious new security threat that allows hackers to launch malicious programs on a victim's computer

Wednesday, February 2nd 2000, 12:00 am

By: News On 6

WASHINGTON (AP) -- The nation's top computer experts warned Internet users Wednesday about a serious new security threat that allows hackers to launch malicious programs on a victim's computer or capture information a person volunteers on a Web site, such as credit card numbers.

The threat, dubbed "cross-site scripting," involves dangerous computer code that can be hidden within innocuous-looking links to
popular Internet sites. The links can be e-mailed to victims or published to online discussion groups and Web pages.

The vulnerability was especially unusual because it is not limited to software from any particular company. Any Web browser on
any computer visiting a complex Web site is at risk.

No one apparently has been victimized yet. But the risks were described as potentially so serious and affected such a breadth of even the largest, most successful Web sites that the industry's leading security group said nothing consumers can do will completely protect them.

Only a massive effort by Web site designers can eliminate the threat, according to the CERT Coordination Center of Carnegie Mellon University and others. Software engineers at CERT issued the warning Wednesday together with the FBI and the Defense Department.

The problem, discovered weeks ago but publicly disclosed Wednesday, occurs when complex Internet sites fail to verify that hidden software code sent from a consumer's browser is safe.

Experts looking at how often such filtering occurred found that Internet sites failing to perform that important safety check were "the rule rather than the exception," said Scott Culp, the top security program manager at Microsoft.

"Any information that I type into a form, what pages I visit on that site, anything that happens in that session can be sent to a
third-party, and it can be done transparently," Culp warned. He added: "You do have to click on a link or follow a link in order for this to happen."

The dangerous code also can alter information displayed in a consumer's Web browser, such as account balances or stock prices at financial sites. And it can capture and quietly forward to others a Web site's "cookie," a small snippet of data that could help hackers impersonate a consumer on some Internet pages.

"It really goes across a huge number of sites," said Marc Slemko, a Canadian software expert who studied the problem. Slemko
said Internet-wide repairs will be "a very, very major undertaking."

In the interim, experts strongly cautioned Internet users against clicking on Web links from untrusted sources, such as unsolicited e-mail or messages sent to discussion forums.

They also recommended that consumers at least consider preventing their Web browser software from launching small programs, called scripts. But they acknowledged that many Internet sites require that function to operate.

"A large number of sites simply aren't usable" without those functions, Slemko said.

Microsoft said it planned to publish full details and step-by-step instructions for consumers at its Web site, www.microsoft.com/security.