The Motley Fool Discussion Boards

Previous Page

Computers, Phones & Internet / Help with this STUPID computer!

URL:  http://boards.fool.com/i-guess-thats-a-part-i-dont-understand-i-can-30298045.aspx

Subject:  Re: Yet another Java flaw Date:  10/3/2012  4:19 PM
Author:  mmrmnhrm Number:  182047 of 188763

I guess that's a part I don't understand. I can see how running some program on your own computer (whether it's Office or a game or Java) can create a threat to your computer. But how does running a program on a server cause a threat to you when browsing the web?

Initially, it doesn't cause a threat. Let's say the server is running what's called a LAMP stack (short for Linux-Apache-MySQL-PHP), and the admins haven't been very diligent with security patches. On day zero, everything is all fine and dandy, the world is pure and clean, and everything is great. Then on day one, Bad People come and exploit a month old vulnerability in PHP, where it passes invalid arguments to MySQL that cause a buffer overflow and remote code execution bug in Apache, the end result of which is gaining root (superuser) rights to the Linux host. When you're "root" you can do *anything* and the machine will follow you right off the volcano's edge and into the bubbling pool of magma below if you so order it.

So these Bad People decide that rather than just throw a bunch of graffiti on the websites (which, while great for grabbing attention, is counter-productive to their goal of creating a botnet BECAUSE it gets attention), they write a tiny little snippet of JavaScript which embeds itself into the body of every HTML file served, and does nothing more than say "Powered by LAMP." Because JS is such an integral part of the web these days, and since every browser has support for it built-in, even the site admins don't think anything is amiss... it's just there, silently advertising to the Bad People that whatever backdoor they installed is still there. Now a month or two goes by, and the bad guys move to phase two: Taking advantage of their mark's laziness and complacency to begin installing virii/trojans/whatnot on their visitor's machines. What had been a server-side vulnerability just became the end-user's nightmare.

SJK: Yes, incompatibilities existed, and I'm sure you're very proud of being an old graybeard, but I'm not going to get into a forest-for-the-trees argument with you. Nor am I going to get into arguments about interpreters versus virtual machines versus sandboxes versus your need to swoop in here and puff yourself up. Go troll RMS, he likes that sort of thing.
Copyright 1996-2014 trademark and the "Fool" logo is a trademark of The Motley Fool, Inc. Contact Us