It's not your computer anymore

If someone can execute code on your computer, it's not your computer anymore. This principle was front-of-mind when Netscape first developed the JavaScript language for Navigator.

Having arbitrary Web sites execute code - even inside the restricted environment of a Web browser - is a security risk. To solve this, the team decided that only executable code from the same domain and using the same protocol would be allowed to run inside its browser.

Cross site scripting (XSS) attacks subvert this principle in a number of ways to steal personal information or fool a user into visiting a malicious site. In the latest high-profile attack, security experts at MicroWorld Technologies announced that a Worm named "Win32.Ofigel" is spreading in large numbers among the 70 million strong user-base of Myspace.com.

When a member of the community views an infected profile, a QuickTime movie carrying the Ofigel Worm is played, which exploits an XSS vulnerability in the network using a JavaScript. The worm then replaces the user's MySpace menu with a fraudulent one and the menu items redirect the user to a fraudulent Web site identical to MySpace, where the username and password of the victim are captured.

The worm then replaces the user's MySpace menu with a fraudulent one and the menu items redirect the user to a fraudulent Web site identical to MySpace.

Paul Furber, senior group writer, ITWeb

Then the worm logs onto certain Web sites to download the malicious QuickTime movie and adds it to the user's profile. When a new user, (mostly the victim's contacts) watches the movie, his or her computer gets infected and the chain goes on.

The main reason for this hole is that MySpace allows its users to upload JavaScript code. To see why arbitrary code execution is a bad idea, visit here and enjoy the sight of the BBC's Web site, apparently reporting in all seriousness on President Bush's appointment of a nine-year old boy to the Information Security Department of the US. The secret's in the URL: that BBC site allows the execution of a script from an arbitrary source which is of course a bad thing.

Microsoft has reported a vulnerability affecting Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v.X for Mac, as well as Microsoft Works 2004, 2005, and 2006 which allows a limited form of attack.

"In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker. As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," says the advisory.

That last cautionary is important. It's easy to zap unknown documents from strangers but not quite so easy to discard a document from your boss.

Thanks to Microsoft TechNet and The Register for the heads-up.