8.4 Other Browser Technologies

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 8.  Internet Browser Technologies

The popularity of the Internet browser has made it a catch-all for all sorts of programs and functionalities. It is this programmatically interwoven, complex piece of software that opens up new avenues of exploitation that hackers dream about. Here, other vulnerable browser technologies are discussed. Most have already been exploited. Specific examples are shared in Chapter 9.

8.4.1 Cascading Style Sheets

While simple tags can add modest changes in text appearance (e.g., bold, italic, flashing, etc.), Cascading style sheets add larger formatting attributes like fonts, colors, and spacing. A single style sheet can define enough attributes to make the web site look like a newspaper, which would otherwise require a lot of separate formatting tags. With style sheets, the format can be defined once and called on demand with a single tag. Style sheets usually have the file extension of .CSS . Style sheets have been available since Internet Explorer 3.0 with varying levels of compatibility. Style sheets are becoming more prevalent in web page design and are often used to hide malicious coding. Several exploits, normally detected by other means, have been able to hide in the style sheet section of a web page and escape detection.

8.4.2 Privacy Issues

A big question people always want to know the answer to is how much personal information can a web site learn about just from visiting their site? Web sites have four ways of collecting information:

• General information from browser

• User -Inputted forms

• Tracking techniques

• Cookies

Browsers will release a predefined amount of information in response to browser requests . That information includes the browser type, version, operating system, IP address, referring page, etc. A web page cannot request and receive your email address or other personal information, through your browser without asking you directly in a form. Web sites will often ask users to enter personal information using an HTML form. Any information typed in a form and submitted to a web site can be stored, used, or sold.

A new trend in collecting more information about a user involves including code within a web page that while active in memory, can track where you travel while you surf. WWW rules allow a web site to learn where you came from before their web site (referring site) and also to learn where you went after you left a web site. It is the latter ability that is beginning to be exploited without many users' knowledge. If you download and run any application helper, it can track every web site you visit and what information you requested or sent. This will be covered more in Chapter 9. Cookies are covered in the next section.

The information collected by any of these methods can be stored on a web-server database to be used internally by the web site, or can even be sold to third-party companies. For example, you can type in your personal information, including a credit card number, to purchase a toy from a web site. They can legally sell that information to any other company they choose, including to pornographic web sites and spammers. As you can imagine, this has caused concerns among many privacy groups.

Internet Explorer 6.0 contains an open standards feature called Platform for Privacy Preferences (P3P), which increases the choices consumers will have to protect their privacy from online companies. See http://www.w3.org/P3P for more details.

8.4.3 Cookies

Cookies are text files created by a web site (stored in %WINDIR%\Cookies or under a profile directory) and stored on the local hard drive to help remember information about your visit. A record of each cookie created is stored in a file (called INDEX.DAT in Internet Explorer). The inherent nature of the web is that each page requested from a web server is treated as a separate event. Thus, as a user browses around on a web site, the HTTP web server (without cookies) isn't smart enough to make logical adjustments in what it is presenting you, or remember preferences you have set. Figure 8-3 shows some cookie files saved in C:\Windows\Cookies .

Figure 8-3. Contents of C:\Windows\Cookies

Cookies can be persistent (retained from visit to visit) or only valid for as long as the current browser session is opened (called a session cookie). First-party cookies are cookies generated and evaluated by the current web site. Third-party cookies are created by a web site for another site's use. For instance, a third-party cookie can be created by an advertising company and accessed each time a user accesses a web site using the ad company's banners. A counter can then be kept about where the user visited, what ads were viewed , and a profile about the user's web surfing history built. Third-party cookies are more of a concern to privacy advocates than the first party type.

Before I make all cookies sound criminal, most cookies have a legitimate reason and make our web surfing life easier. For example, you might be visiting an online store that sells blue jeans . You put in your pants measurements and the web site remembers those settings at checkout time (or even for a later visit). Without a cookie, you might be forced to reenter your waist and inseam measurements for every purchase. When I visit the online bookseller, Amazon, it recognizes me and presents books on computers in which I might be interested. All of this is done through the use of cookies.

A typical cookie stores only a small amount of information about you (typically much less than 1KB) on the local hard drive. Often the first piece of information stored is a user ID or some other identifying number that can be used to quickly identify you when you visit the web site. The web site can have a large database that records your every move and mouse click. When you visit the web site, it queries your web browser to see if you already have one of its cookies. If so, it is read and your unique identifier number is used to synchronize your visit with the site's database.

By their very nature, cookies aren't overly large threats to anyone 's system. They are limited in what they can learn about you, without asking. When the knowledge of cookies became widespread, people feared that web sites were searching their hard drives , reading their bank account information, and recording their every computer move. There are ways of doing that, but cookies aren't especially adept at doing this. As we will learn in Chapter 9, there have been a few cookie-based exploits. Microsoft has released a security patch to minimize damage. Most browsers allow you to turn off the acceptance of cookies altogether, but their use is so widespread on the Internet, that many web sites will not function without them.

8.4.4 History

Every web site you visit is stored in a browser history file so that you can choose the browser's History button and find a previously visited web site. Internet Explorer stores history in INDEX.DAT located in hidden directory %WINDIR%\History\History.IE5 or %WINDIR%\Profiles\[user]\History\History.IE5 . If a remote exploit was able to download a user's history file, they could learn where the user went, and possibly log on with information to protected web sites. As we know, URLs of commercial sites often contain customer-specific information.

8.4.5 Frames

Frames allow a web site to display its current view in two or more rectangular windows. Each frame can act independently of each other by displaying completely different documents (and web sites) and attributes, or simply pointing to a different part of the same document. Each frame has its own attributes. Hackers and malicious coders have been able to exploit the existence of frames with potentially serious consequences, as we will see in Chapter 9.

8.4.6 File and Password Caching

Most modern browsers use local file and memory caches to improve performance. As a page or file is downloaded from the Web, it and all of its objects are temporarily stored on the local hard drive. If needed again, the page can be loaded quickly without downloading again over the Internet. Browsers will often download and store content in a temporary cache folder even if the content doesn't have the authority to execute.

With Internet Explorer, as the HTML content is stored to the cache, each file or component is given a random name and tagged with a Globally Unique Identifier (GUID). An internal table is used to track what cached file corresponds to what named file within a web page. If the cached file is needed again, the browser (or email client) requests the file and it is located via its GUID. You can access a very limited set of cache settings in Internet Explorer with Tools Internet Options General tab Settings. You can modify settings for when the browser refreshes cached files, the amount of hard drive reserved for caching, and clearing the cache.

There is concern about whether malicious coding can access the content stored in the cache folder and exploit the findings. Good browsers go to great lengths to prevent manipulation of the cache. Specifically, a built-in security architecture and randomization scheme tries to prevent authorized code from guessing or learning the location of the temporary cache folders associated with a particular piece of download content. As it has been shown many times, the ability of a program to learn or guess the location of the temporary cache folders can result in complete compromise of the machine.

Many browsers, including Internet Explorer, will even cache passwords. When visiting a site for the first time that requires a logon name and password, both products will prompt you about whether you want the browser to remember your login name and password, and automatically have it filled in the next time you visit the same site. This is done as a convenience, but significantly undermines browser security. If allowed, anyone can use your browser and visit your password-protected sites.

The latest Internet Explorer browsers attempt to store the passwords in encrypted form while stored on the hard drive. Past malicious scripting attacks have been successful in enumerating passwords out of the memory cache. In some rare cases, site logon information stored in clear-text files has been able to be read. Password caching can only be turned on or off for all sites.

8.4.7 AutoComplete

Internet Explorer's AutoComplete feature allows the browser to automatically fill out web forms that request common information, such as name, address, login name, email address, etc. While a nice convenience feature, it allows someone to view potentially confidential information about you. You can access AutoComplete in Internet Explorer using Tools Internet Options Content tab Personal Information AutoComplete.

8.4.8 Microsoft Wallet and Passport

Internet Explorer has a feature meant to make online shopping easier for web surfers. The thought is that if you store the credit card information in one place where legitimate web sites can access it, the online buying experience becomes seamless. The Microsoft Wallet , Tools Internet Options Content Wallet, allows web sites that conform to Microsoft's Wallet standard to show a wallet icon during online checkout. The end user then clicks the wallet icon, types in their password, and their credit card information is sent to the vendor, and the payment transaction is recorded in the user's wallet.

The information is sent back and forth using the Secure Electronic Transaction (SET) standard codeveloped by VISA and MasterCard . During the initial setup of MS Wallet, a certificate is obtained from the participating credit card vendor.

The MS Wallet feature was discontinued with Internet Explorer versions 5.01 and above, in favor for a Microsoft's new Passport option (http://www.passport.com). The Passport Wallet , with your credit card profile, is stored on Microsoft's encrypted server. A small encrypted cookie, which allows participating web sites to identify your browser as a Passport user is stored on the local hard drive, but does not contain credit card information. When you use your Passport Wallet, the web site identifies you with the local cookie and obtains enough information to contact Microsoft's secured database server to obtain your credit card information. Again, transactions are encrypted (although this time with SSL) and secured. Some security consultants fear that transactions engines like MS Wallet and Passport may contain holes that can be exploited by hackers and malicious code. Microsoft's Passport technology is key to their .NET strategy of global transactions.

8.4.9 HTTPS and SSL

Secure Hypertext Transfer Protocol (HTTPS) and Secure Sockets Layer (SSL) work together to provide the most popular form of browser session encryption. HTTPS works on TCP/IP port 443 (usually), instead of port 80 like regular HTTP. The URL of an HTTPS web site will begin with https:// instead of http:// . SSL uses a digital certificate to authenticate and encrypt one or both sides of the secured packet transmissions.

When you visit a secure web site, HTTPS negotiates a 40- or 128-bit security x.509 digital certificate between the web site and the browser. The server presents the certificate and the browser evaluates it. The certificate must have been issued by a certificate authority the browser trusts, must not have expired , and must be linked to the same server that the web browser is connected to. If all three checks are valid, then an SSL session is established. If a secured channel is able to be used, the browser padlock icon will lock (see Figure 8-4), indicating that all future communications are encrypted. In Internet Explorer, you must choose File Properties to reveal which level of encryption was negotiated between the browser and the server.

Figure 8-4. SSL padlock icon

SSL is approved as a browser standard by the W3C and is used by most commercial web sites. SSL can be used to secure any TCP/IP protocol, but is generally just used to encrypted HTTP traffic. There are different versions of SSL, including SSL 2.0 and SSL 3.0. Microsoft created a secure protocol called Private Communications Technology (PCT 1.0) to offer a more secure option than SSL 2.0. It is not used by nearly as many sites as SSL.

Transport Layer Security (TLS) protocol is another secure protocol, called SSL 3.1 by some groups, and can be selected as a browser's secured packet communication method of choice. Most browsers support SSL, and if more secure channel protocols are allowed, they can all be turned on and used by participating web sites.

8.4.10 Active Desktop

Released with Windows 98, Active Desktop is Microsoft's biggest step toward complete desktop/web integration. With it activated, a Windows desktop gets a shell update to allow it to become "web-ized." Many components of Windows begin to take on HTTP personalities. ActiveX controls, HTML, DHTML, Java applets, frames, and hyperlinks can be added on the desktop and all throughout the Windows interface. You could add a video broadcast or stock ticker to your desktop as a regular part of its real estate.

When Active Desktop is turned on (Right-click Desktop Active Desktop View as a Web page) the desktop itself gets treated like an HTML file, with the necessary data stored in a hidden file called DESKTOP.HTT (Hypertext Template File). Among other things, it contains a hidden ActiveX control called ActiveDeskopMover , which helps resize and move the various desktop items. Folders under the Active Desktop can also gain HTML functionality and will have an FOLDER.HTT file associated with it. Most FOLDER.HTT files are just an HTML file with JScript coding and can be modified to suit the user's needs. Additional .HTT files can be found in the %WINDIR%\Web folder.

Active Desktop is a memory and resource hog. I've often disabled it on users' desktops and increased the PC's performance by 50 percent or more. And, of course, because it extends web technologies to the desktop, activating Active Desktop presents many new risks that would not otherwise exist.

Even without Active Desktop activated, you can type in any web URL in the Start Run dialog box and your default desktop browser will start and find the web site.

8.4.11 Skins

Skins are interface templates that can be applied to an application to change its appearance or operation. Internet Explorer and Windows Media Player are two such applications. Skins are usually high- color and high-resolution, and demand greater resources than the default interface. Hundreds of web sites are devoted to the development and free exchange of skins. XML-based skins are quickly being implemented to allow objects and scripting languages to be included. This integration also allows MMC exploits to be hidden within the skin.