8.1 Introduction

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 8.  Internet Browser Technologies

I'll start with this sentence : no PC with an Internet-connected browser can be considered secure. No matter how well you think you have locked down a PC with an Internet browser, the software is too complex to close all the holes. If a PC under your control needs absolute security, remove the browser. If that isn't the answer you were looking for, continue reading.

Yes, a computer can be compromised simply by surfing the Net. By default, when a web page is accessed, all of the allowable content is downloaded, scripted, launched, and if appropriate, executed. A rogue programmer has a whole arsenal of tools that can turn a simple-looking web link into something malicious. Rogue code can be accomplished through a browser using the following technologies:

• HTML

• Scripting languages

• Java

• ActiveX

• Browser add-ons

As the underlying language of the World Wide Web, HTML and its related scripting languages are widely exploited. Although pure HTML viruses have not given security experts a great reason to be alarmed, there are several ways HTML can be maliciously used to manipulate local computer resources. Scripting languages, like JavaScript and VBScript are the largest threats to any PC with a browser. But turn them off and the Web refuses to function. The malicious uses of these technologies will be explored in this chapter. Java applets and ActiveX controls are also a large security risk and as such are given separate treatment in chapters 10 and 11. The potential damage caused by browser add-ons and plug-ins creates more risk and is covered more thoroughly in Chapter 10.

Rarely a week goes by that at least one Internet browser exploit isn't released to the media. The Internet Explorer cross-frame exploit is an example. Browsers are capable of attaching to two or more different web sites at the same time. Theoretically, each session has its own security and cannot interact with the other. Exploit after exploit has broken the boundaries between two different browser sessions. Since the browser is heavily integrated with the desktop these days, yet another session, the local file system, can be considered and can be assessed by a malicious web site. Or just as bad, a cross-frame exploit can be used to record information typed in sensitive sessions, like online banking.

Even the web sites that you would think had the highest security -- banks, hospitals , and government site -- are broken into pretty easily. Dan Farmer, a world-wide recognized Internet security consultant said this in a statement to Congress in 1996:

I examined banks, government systems, newspapers, other very highly visible (web sites)...and found that using the most simple tests, not even trying to break in at all, I can easily compromise about two- thirds of the systems. I am talking about things like the White House Web Site and so forth...If the CIA cannot protect its own resources, how can you expect a business to do this with orders of magnitude less resources and such?

And things haven't changed that much since then. Several magazines publicize test web sites and invite hackers to attack. The web sites have the best security money can buy, in terms of expertise, equipment, and software. All have been successfully compromised in days. The World Wide Web is a brave new world, and few really understand how to secure it.

E-banking is one of the fastest growing uses of the Internet, and the world's banks are rushing to provide their customers 24/7 access. You might think that banks doing business across the Internet would have the very best security. Neither answer I could give would make people feel better. Yes, it is true that e-banks have some of the world's best security, but they are still routinely broken into. Online banks, including BankOne, First Virginia Bank, Swiss UBS, HSBC, and the United Kingdom's Barclays, have all suffered hacks and exposed financial information in the year 2000.

Some supposedly heavily protected commercial sites have had weaknesses that allowed anyone to reveal other people's financial information. It's even done almost accidentally . In more than a few cases, a non-malicious web surfer has noted during their own online adventures that their account number was being used in a web site's URL when they were accessing their own information. Curious, they tried changing the account number and found out they had been given unlimited access to other user 's information. All that was needed was to guess other people's account numbers . In a handful of cases, hackers have downloaded credit card information for all the users of a particular web site and then demanded a ransom to give the information back.

One of the biggest current business trends in Internet usage is the use of application service providers (ASPs). These are companies offering extensive , and otherwise expensive, software to small and medium- sized companies on a rental or lease basis. They are able to do this because the customer's data and software are hosted on the vendor's web site and accessed with a local browser. A key concern among businesses using these types of hosted services should be security.

Recently, a hacker revealed that a large ASP accounting web site had three common web vulnerabilities that made customer data particularly easy to steal. Attackers could log in, modify victim accounts, view sensitive financial information, and even deny the legitimate user's access to their own information. Worse yet, when the site's weaknesses were publicly revealed, company officials said two of the flaws were known and accepted as a risk of business in order not to inconvenience users of older browsers. While some of these last summarized attacks might seem like weaknesses of the web server (and they are), the holes are induced because of the way Internet browsers work.