The makers of popular Web-based applications usually keep sites dedi- cated specifically to keeping track of security issues.Whenever a new threat is exposed, you can usually read about it here:
■ Microsoft Security Site www.microsoft.com/security ■ Netscape Security Center www.netscape.com/security
Summary
Mobile code is a great thing for adding powerful features and content, but it has its drawbacks. E-mail goes directly to a specific address, so with these methods, a hacker can target a single organization or even a single person.The types of mobile code discussed in this chapter all have had some thought put into making them secure, but the technology is so complex that security holes have been found in every one. Even greater risks are introduced when two or more types of mobile code are allowed to interact with each other. Individually, they might be fairly safe, but when working in cooperation, they can cause loopholes in the security.VBScript and ActiveX are especially scary when they are used together, but new additions to Microsoft’s e-mail clients are addressing these issues.
The threats diminish as the products become maturer and as possible vulnerabilities are patched; however, end-users’ confidence should
always, for their own sake, remain somewhat on the cautious side.There are users who will ignore the options given them for enabling security alerts or methods that disable suspicious code, but this is nothing to fall back on. Administrators face tremendous risks when knowingly working with Office documents that have macros, downloading software, config- uring their browser and Web server, and when setting policies that restrict workers’ flexibility. It is not easy for administrators and end users to protect themselves from mobile code, even with firewalls and virus protection.They may elect to neutralize or disable all macros, Java, JavaScript,VBScript, and ActiveX controls.
To gain the confidence of your end user in your code and in your company, and for users to enjoy the benefits of the features you want to offer them, you must understand and then transcend the obstacle of trust; security measures such as authentication certificates rely purely on the users’ discretion and their sense of trust. If your code is not signed, does not have a valid certificate, or is not marked safe for scripting, it may be denied or even crash the user’s browser.
Solutions Fast Track
Recognizing the Impact of Mobile Code Attacks
; Browser attacks can occur by visiting Web pages. As soon as an HTML Web page appears, the mobile code will automatically begin executing on the client system.
; Mail client attacks occur when a piece of e-mail is sent using HTML-formatted messages. Once the message is opened or viewed in the preview window, it will begin executing.
; Documents can contain small pieces of code called macros that may execute when a document is opened.This code has the power to be damaging, since it has access to many system resources.
Identifying Common Forms of Mobile Code
; VBScript and Microsoft JScript allow interaction with ActiveX controls, which can cause security problems if the ActiveX con- trol allows access to restricted system resources.
; The ActiveX security mechanism contains unsafe code by asking users if they wish to allow the ActiveX control to be installed.
; Java applets are the safest type of mobile code.To date, there have been no serious security breaches due to Java applets.
; The greatest threat from e-mail attachments is Trojan programs that claim they do one thing, when in fact, they do something malicious.
Protecting Your System
from Mobile Code Attacks
; There are two approaches to protecting against security threat. One is to use knowledge and technical skill to manually protect user systems.The second is to use security applications designed specifically to automatically deter security threats.
; Different types of security applications include virus scanners, Back Orifice detectors, firewall software,Web-based tools, and client security updates.
Q:Why wouldn’ta user trust my plug-in or ActiveX program, if there have been so few malicious mobile code programs?
A: Hackers could create more malicious programs if they chose to. Most good security guidelines encourage caution because, really, there’s no way for a user to be 100-percent sure that your program is not going to be flawed or compromised in some way, even if it was meant to be secure.
Q:Will a user perceive Java to be more secure than ActiveX?
A: It depends on the user’s risk level and awareness. ActiveX relies on a person’s judgment as to whether he or she decides to accept the pro- gram based on the digital signature.With Java, the user is trusting that the security of the sandbox technology has not broken down.
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the
Q:What is the difference between JScript and JavaScript?
A: JScript is Microsoft’s version of JavaScript.The main difference between JScript and JavaScript is that JScript can interact with Microsoft ActiveX components the same way VBScript does.
Q: Can a user uninstall my ActiveX control?
A:ActiveX controls must have an uninstall feature (a user would go to
Start | Settings | Control Panel | Add/Remove Programs). Some, such as Shockwave, appear in the Windows directory under “Downloaded program files” that would be right-clicked to be removed. Otherwise, there is no formal way to remove most ActiveX controls.