8.5 When to Worry About Browser Content Browser content becomes potentially mischievous when it can do any of the following:
For instance, Common Gateway Interface (CGI) and Active Server Pages (ASP) are server-side processes that run on the web server, not the local web client. Those languages have a hard time accessing local system resources. For those reasons, CGI and ASP are probably not going to be high on the list for malicious mobile code programmers. Of course, as languages involve, they often gain new functionality. If that new functionality allows the local system threats previously indicated, the language can be considered potentially dangerous. Another example, Virtual Reality Modeling Language (VRML) is a standard for the animation of geometric shapes and 3D objects within browsers. A VRML ActiveX control is packaged with Internet Explorer and presents very little security threat because it was designed to download and display graphics. It does not have access to the local file system, has no known buffer overflow exploits, and as such, provides little risk. On the other hand, programs that we once thought were safe are now potential holes for hackers. Adobe's Acrobat program and Microsoft Windows' Media Player were once thought of as very safe. One displays document images and the other displays audio and video files. Both have contained buffer overflow holes, which would allow complete system compromise. Microsoft and Adobe have released patched versions, although a large number of users still use the older versions. |
Team-Fly |
Top |