There appear to be several
vulnerabilities in
popular Web browsers such as
Netscape Communicator and
Microsoft Internet Explorer which permit
hostile sites to perpetrate
denial-of-service attacks upon the browser software. For some reason, the
manufacturers do not seem to care about their products' vulnerability to this sort of
computer crime.
Many of these DoS vulnerabilities involve infinite loops in JavaScript, a scripting environment implemented with few (if any) resource limitations on untrusted code. For instance, there is no limit on the number of windows a JavaScript script can open on your screen, meaning that a hostile page can spam you with windows which repeatedly open faster than you can close them.
A Web site can disable some of your navigation controls as well. Contextual menus are commonly disabled with a JavaScript-based exploit; even without JavaScript, the back button can be largely disabled with a quick series of refresh pages.
Many lesser-known Web browsers, such as iCab, permit you to restrict the powers of JavaScript and in other ways defend yourself against computer criminals masquerading as Webmasters. However, until the mainstream browsers catch up in security, most users will remain vulnerable to Web browser denial-of-service attacks.
Note: There has apparently been some
confusion on this matter: A "
denial-of-service attack" is any means by which the use of a service or resource can be cut off without the
operator's permission. It does
not have to be a
flood attack. Flooding is merely one very common, very easy-to-perpetrate form of denial-of-service attack.