The Yahoo Mail worm exploited a JavaScript on-load function for HTML images, a function intended for Web applications to deliver a specific image-handling instruction to a browser. The on-load tag leaves space for 3 to 4 Kbytes of JavaScript to run in the browser. That's more than enough...

Three to 4 Kbytes of JavaScript is more than enough instructions to cause mayhem on a user's computer, according to Billy Hoffman, lead R&D researcher on the worm for SPI Dynamics, a security software firm.

The Yahoo Mail worm raided the user's address book on the server, downloaded it to the browser, composed a message, and then sent it to the addressees, using the blind carbon copy field in the address header so that the recipients couldn't see how a set of acquaintances was targeted with the same message at the same time.

It also captured and uploaded the addresses to a remote Web site, where it's likely they were intended for resale to spammers. Hoffman and other security experts think this may be a harbinger of things to come as Ajax proliferates.

Hoffman dissected the JavaScript behind the Yahoo Mail Yamanner worm to see what it did. One thing that never got reported was that, as a parting shot, it directed the user's computer to click on a bunch of ads on a Google site, a boon to Google since it collects revenue based on those clicks. As if Yahoo didn't have enough reason to be annoyed with this worm writer.

By design, there are hundreds of designated places where JavaScript may be inserted to perform certain functions on a Web page or in an e-mail message that's being read in a browser window, says Hoffman. That is, there are hundreds of places to include JavaScript, as set by World Wide Web Consortium published standards. Browsers are programmed to run JavaScript wherever they encounter it. They aren't programmed to ask, "Is this set of commands doing what I think it's supposed to do?"

Web application builders who want to employ Ajax or other forms of JavaScript are going to have to learn how to build in validation checks and restrictions that allow only the intended JavaScript functions to run, screening out imposters, says Hoffman.