August 5, 2015 By Douglas Bonderud 2 min read

According to the IEEE Spectrum, JavaScript remains a popular scripting language for website effects, coming in at No. 8 of the top 10 most-used code languages in 2015. This popularity, along with big brother Java holding down the top spot, often leads to malicious actors leveraging .JS files as malware delivery systems or Trojan attack vectors. Now, a pair of JS threats — an obfuscated click-fraud downloader and the Rowhammer vulnerability — are being used to carry out remote operations on victim devices.

Behind the Curtain

As reported by Threatpost, a new flood of spam has been detected by the SANS Internet Storm Center (ISC). These messages carry a .JS attachment laden with obfuscating JavaScript code, which conceals a downloader. Once up and running, the downloader calls out to multiple domains looking to remotely leverage the Kovter or Miuref click-fraud malware. To convince users the message is genuine and of immediate importance, the messages often contain warnings about court appearances, delivery notices or E-ZPass toll charges.

Fortunately, the attack is relatively simplistic and shouldn’t be hard to counter because it’s not difficult for antispam programs to weed out .JS files in the same way they disallow messages containing .exe attachments. According to SANS ISC Handler and Security Researcher Brad Duncan, this new JavaScript attack is “another fairly futile attempt to spew more malware to the world’s inboxes.”

JavaScript’s Hammer Time

At the other end of the spectrum is the Rowhammer vulnerability, which could potentially be used to gain kernel privileges on multiple systems. According to SecurityWeek, the bug depends on a physical property of certain dynamic random-access memory (DRAM) chips. When placed close together in an effort to increase capacity by decreasing size, it’s possible for attackers to force electrical interactions between cells, in turn causing unwanted bit flips. Repeatedly accessing the same memory location, or hammering on a row of chips, can be used for targeted privilege escalation.

First discovered in March by a team of Google researchers, the flaw was fairly limited in scope since a successful attack required native code, special instructions and physical access to the target. Now, researchers from Austria and France have packaged Rowhammer into a .JS file that bypasses all of these requirements; in theory, it could now be launched against multiple users from a single compromised website.

In a research paper published last week, the team points out that while new JavaScript deployments are largely sandboxes and defend against the retrieval of virtual addresses, it is possible to determine parts of the physical address and prompt forced bit flips. Basic input/output system (BIOS) updates have started rolling out to defend against these attacks, but experts suggest that integrating these defenses into Web browsers may offer broader protection.

JavaScript is popular, and with popularity comes the risk of exploitation. New attack vectors focus on remote downloads and physical compromise, but well-tuned spam filters and updated BIOS keep users in control.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today