Size: 84
Comment:
|
Size: 4854
Comment:
|
Deletions are marked like this. | Additions are marked like this. |
Line 3: | Line 3: |
== Internet Client Vulnerabilities == * Of the numerous techniques to exploit internet end users * Software exploits are the most the despicable * This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim. == ActiveX == * Microsoft ActiveX * Microsoft answer to Java * First real attempt a a model for portable, remotely consumable software applications * ActiveX applications or controls * Can be written to perform specific functions * Such as displaying a movie or sound file * Can be embedded in a web page to provide this functionality * Example * Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs * Usually the .ocx file extension * When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls) * First checks user’s local system Registry to find to find out whether that component is available on the user’s machine * If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code. * If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag. * Optionally, it verifies the origin of the code using Authenticode and then executes that code * Controls are downloaded to the location specified by the Registry string value * (REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache * Default in XP is %systemroot%\Downloaded Program Files === ActiveX Security Model === * Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine. * The thing that stands in the way is the Microsoft’s Authentication paradigm. * Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party) * Example of how ActiveX could be used to for malicious activity * 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management). * Called Internet Exploder * Safe for Scripting * Was the next significant security challenge * The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control * Scriptlet.typelib can create, edit, and overwrite files on the hard disk. * Eyedog has the ability to query the Registry and gather machine characteristics === ActiveX Abuse Countermeasures === * From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system. * Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones. == Java == * Created by Sun Micro Systems * Was created primarily to enable portable, remotely consumable software applications. * Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows. * Vulnerabilities Found * November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets * The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform. === Java Countermeasures === * Restrict Java trough the use of Microsoft Internet Explorer security zones. * Non-IE consult documentation on how to restrict. == JavaScript and Active Scripting == * Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape. * Blend of Perl- like ease-of-use with c/c++ like power * Made it popular * Also makes it attractive to hackers * Makes it easy to fool the user into entering sensitive information *Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting * Security issues not caused by technology, but by the abuse of power and accessibility they give you. === JavaScript Countermeasures === *Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones. |
Internet Client Vulnerabilities
* Of the numerous techniques to exploit internet end users
- Software exploits are the most the despicable
- This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim.
ActiveX
* Microsoft ActiveX
- Microsoft answer to Java
- First real attempt a a model for portable, remotely consumable software applications
- ActiveX applications or controls
- Can be written to perform specific functions
- Such as displaying a movie or sound file
- Can be embedded in a web page to provide this functionality
- Example
- Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs
- Usually the .ocx file extension
- When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls)
- First checks user’s local system Registry to find to find out whether that component is available on the user’s machine
- If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code.
If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag.
- Optionally, it verifies the origin of the code using Authenticode and then executes that code
- Controls are downloaded to the location specified by the Registry string value
(REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache
- Default in XP is %systemroot%\Downloaded Program Files
ActiveX Security Model
* Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine. * The thing that stands in the way is the Microsoft’s Authentication paradigm. * Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party)
- Example of how ActiveX could be used to for malicious activity
- 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management).
- Called Internet Exploder
- Safe for Scripting
- Was the next significant security challenge
- The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control
- Scriptlet.typelib can create, edit, and overwrite files on the hard disk.
- Eyedog has the ability to query the Registry and gather machine characteristics
ActiveX Abuse Countermeasures
* From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system. * Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones.
Java
* Created by Sun Micro Systems * Was created primarily to enable portable, remotely consumable software applications. * Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows.
- Vulnerabilities Found
- November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets
- The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform.
Java Countermeasures
* Restrict Java trough the use of Microsoft Internet Explorer security zones. * Non-IE consult documentation on how to restrict.
JavaScript and Active Scripting
* Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape. * Blend of Perl- like ease-of-use with c/c++ like power
- Made it popular
- Also makes it attractive to hackers
- Makes it easy to fool the user into entering sensitive information
Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting
- Security issues not caused by technology, but by the abuse of power and accessibility they give you.
JavaScript Countermeasures
*Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones.
Back to Cptr427Winter2010