8.2 Browser Technologies

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Slots : 1
Table of Contents
Chapter 8.  Internet Browser Technologies

8.2 Browser Technologies

Although Microsoft's Internet Explorer, as shown in Figure 8-1, dominates the Windows market, there are still dozens of browsers to choose from. Because the World Wide Web is based on open standards, most browsers work in similar ways and use the same technologies. The examples and lessons in the next few chapters refer to Internet Explorer, but can be applied to many existing browser programs.

Figure 8-1. Microsoft Internet Explorer 5.5
figs/mmc_0801.gif

8.2.1 What Is a Browser?

A browser is a software application that requests web pages and information from a Hypertext Transfer Protocol (HTTP) server and interprets and displays the results. The information sent back from a web server contains display codes (called tags ), pictures, graphics, scripting codes, hypertext links, audio files, and all the other supported forms of web content.

Browsers work by requesting information from a web server, often initiated by the user typing in the web site's address. A TCP/IP connection to the host is made over port number 80, which is assigned to the HTTP protocol (although any port number can be used if previously agreed upon). The web server accepts the connection. The client browser sends a GET request, which initiates the server to send back information. The response includes a stream of ASCII characters following the HTML formatting conventions and any binary components . After the response is sent, the server closes the connection. Each subsequent request for more information is considered independent of the others and is considered stateless . This fact becomes more important later on.

Browsers always have a configuration area where operational, display, and security issues can be configured. For Internet Explorer, those options are found at Tools figs/u2192.gif Internet Options. Almost all security settings can be found under the Security tab. This is where we'll spend most of our time in the next four chapters. Security, like all the other option types will be different between browser versions.

8.2.1.1 Browser versions

New browser releases usually include strengthened security, faster surfing, and better user-friendliness. Updated versions are released so frequently, that it can take effort to remember exactly which version of a browser you're using, especially if you have Internet Explorer. Finding out the browser's version number is as easy as choosing Help figs/u2192.gif About. When it comes to upgrades and security patches, it is important to know the actual version number of your browser. Table 8-1 shows the many different 32-bit versions of Internet Explorer.

Table 8-1. Various 32-bit Windows versions of Internet Explorer

Version number

Marketed product number

4.40.308

Internet Explorer 1.0 (Plus!)

4.40.520

Internet Explorer 2.0

4.40.1381.1

Internet Explorer 2.0, NT 4.0, Proxy Server 1.0, VB 5.0, NT Service Packs 1-4.

4.70.1155

Internet Explorer 3.0

4.70.1158

Internet Explorer 3.0 (OSR2)

4.70.1215

Internet Explorer 3.01

4.70.1300

Internet Explorer 3.02

4.71.544

Internet Explorer 4.0 PP1

4.71.1008.3

Internet Explorer 4.0 PP2

4.71.1712.6

Internet Explorer 4.0

4.72.2106.8

Internet Explorer 4.01, Win 95 OSR2.5

4.72.3110.8

Internet Explorer 4.01, SP1

4.72.3612.1713 or .1712

Internet Explorer 4.01 SP2

5.00.0518.10

Internet Explorer 5 Beta 1

5.00.0910.1309

Internet Explorer 5 Beta 2

5.00.2014.0216

Internet Explorer 5.0

5.00.2314.1000

Internet Explorer 5.0 (Office 2000 Developer Edition)

5.00.2314.1003

Internet Explorer 5a

5.00.2314.2100

Internet Explorer 5 (Refresh)

5.00.2614.3500

Internet Explorer 5.0 (Refresh 2)

5.00.2516.1900

Internet Explorer 5.0 (Windows 2000 Beta 3)

5.00.2929.800

Internet Explorer 5.0 (Windows 2000 Release Candidate 1)

5.00.2929.3800

Internet Explorer 5.0 (Windows 2000 Release Candidate 2)

5.00.2929.6307

Internet Explorer 5.01

5.50.3825.1300

Internet Explorer 5.5 Platform Review

5.50.4134.0600

Internet Explorer 5.5

5.50.4308.2900

Internet Explorer 5.5, Advanced Security Privacy Beta patch installed

5.50.4522.1800

Internet Explorer 5.5, SR1

6.00.2436.1

Internet Explorer 6.0 Beta 1

MSHTML.DLL is the main program file serving Internet Explorer. You can find it on your hard drive (usually located in %WINDIR%\SYSTEM ), and reveal its properties. The version reported for this file will be the same as for Internet Explorer.

Microsoft's browsers have both 56-bit and 128-bit encryption versions, which will also be noted near the version number. If the Internet Explorer Administration Kit was used to distribute Internet Explorer it will also contain the following letters :

IC

Internet Content Provider

IS

Internet Service Provider

CO

Corporate Administrator

When Microsoft releases a security patch it will tell you what versions of the browser need to apply for it to be protected. Usually the security update will say something like, "Should be applied to Internet Explorer 5.5 versions beginning 5.5.3825 and above."

As this book goes to press, Microsoft has announced their latest release, version 6.0. Although it purportedly contains moderate security updates over version 4 and 5, it is mainly focused on enhanced application and multimedia integration. Most of this book was written using Internet Explorer versions 5.0 and 5.5.

A browser is an interpreter. Each type of browser handles what it receives in the way it has been programmed. Much to the consternation of web programmers, no two browsers will display the content they receive in identical ways. One browser may show a web site background as stark white, and another will show it as gray. One browser may perfectly display the page, while another will have the text and graphics of the web site running off the page and screen. A computer's screen, video card, and resolution settings provide even more variables that can affect the display of a web page.

8.2.2 URLs

The Universal Resource Locator (URL) is the standard way of locating and identifying HTTP content across the Internet. A URL includes information about the protocol it is using, a colon , two forward slashes , the content's location (usually web server name and domain), and the object being requested . For example:

http://www.ora.com/news/archive

The first part of the URL indicates the protocol type. Although it is usually http , it can be many other choices, including ftp , news , file , and gopher . This allows the browser to perform other roles. In most of today's browsers, you can leave off the http part and the browser will automatically fill it in, along with the colon and two forward slashes.

The next part of the URL indicates the web server's name, which is usually www , but can be almost anything. The web server's fully qualified domain name follows and allows the browser to locate the web server across the Internet. In the background, the text domain name (for example, ora.com ) is translated into its public TCP/IP network address (for example, 204.148.40.9) by domain naming servers (DNS). Lastly, the document or object the browser is requesting is typed. If no particular document or object is requested, the default object (often index.html ) is returned. If the document contains references to other objects, they are downloaded as well.

8.2.2.1 Hiding malicious URLs

Avoiding some malicious Internet code is as simple as avoiding nonlegitimate sites. For the most part, surfing at well-known, commercial sites, is a great way to prevent malicious code from attacking your browser. For example, if any of us were to see a URL called http://www.malicioushackers.com/formatlocalharddrive.htm , we would all probably avoid it. Unfortunately, malicious URLs don't go out of their way to warn us.

The creators of the Internet had to make URLs flexible enough to handle all the world's computers, including older-model computers and foreign languages. To be inclusive, a web site URL can be written many different ways -- a fact hackers and spammers use to their advantage. In the security world, hiding something by making it ambiguous is known as obscurification . There are several ways a link's true identity may be hidden.

First, a link may choose to use an IP address instead of its domain name. So, http://www.maliciouscode.com can be represented by its http://192.168.100.12 cousin, without revealing where the link is taking you. In fact, because it doesn't need to go through the domain-naming resolution process, it's faster.

The IP address above is in the typical dotted -decimal format that most web sites use, but IP addresses can also be formatted into their double-word decimal (base 10) , octal (base 8) , or hexadecimal (base 16) equivalents. Most browsers will recognize and accept most of these formats. Hence, the dotted-decimal address of 204.148.40.9 can be represented by its decimal double-word equivalent, 3432261641 .

There are some other rules that allow exploitation. A web site may require a logon name and password for access. For convenience, URLs can include the logon name and password to allow seamless access. For example:

http://username:password@www.website.com/privatesite

Browsers assume that anything after the http:// and before the @ symbol is logon authentication information. And it will be passed to the web server as such. However, if a web server doesn't require authentication, it will discard most information after the http:// and before the @ symbol. Thus, a malicious web link may claim it is taking you to Microsoft's security web site to install the latest update, but instead redirect the browser to a hacker's web site where you accidentally download a more malicious program. For example, http://www.microsoft.com.security@www.ora.com will take you to O'Reilly's web site and has nothing to do with Microsoft.

Hexadecimal notation can be used to represent characters after the IP address. In order to use hexadecimal notation, a percent sign must be placed in front of each represented character. Thus, http://www.ora.com/news/archive can also be turned into http://www.ora.com/%6E%65%77%73/%61%72%63%%68%69%76%65 . The URL links listed in Table 8-2 will take you to the same web document.

Table 8-2. Examples of URL obscurification

URL naming convention

Example

domain name

http://www.ora.com

IP address (decimal-dotted)

http://204.148.40.9

IP address (double word decimal)

http://3432261641

IP address (octal)

http://0314.0224.050.11

Password example

http://secure.site.com@www.ora.com

Hexadecimal notation

http://www.ora.com/%2e

Mixed example

http://microsoft.com@3432261641/%2e

Hackers and spammers often send obscured web links to prevent the user from knowing ahead of time where they are being directed. Email viruses and Trojans commonly use overly complicated URLs to confuse the user into checking where the link goes. Beware of obscured URLs. If the link doesn't want you to know where it is taking your browser, it's a safe bet that you do not need to click on it.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net