« previous next »
Pages: [1]   Go Down

Author Topic: At what cost?  (Read 1860 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34066
  • malware fighter
At what cost?
« on: August 01, 2006, 02:48:14 PM »
Hi malware fighters,

More than a hundred security leaks in Active-X controls have been found up that are found standard on Windows eXPerience (Did you know that was what XP stood for, what an experience?)
They were found by Metaploit's researcher H.D. Moore. A dozen of these controls were so full of holes that a whole class of them had to be blacklisted right away.
What are the benefits of having the Active-X or JavaScript functionality and efficiency, when at the same time you inherit also  all this insecurity and all the time it will cost for you to update and patch or circumvent all kind of possible problems.
To have full efficiency and functionality all patches and fixes are omited and one proceeds under the false assumption "Allthough I may be vulnerable, I am not a victim yet".

For instance JavaScript, originally developed for the Netscape browser.

1. JavaScripts can trick the user into uploading a file on his local hard disk or network mounted disk to an arbitrary machine on the Internet. Although the user must click a button in order to initiate the transfer, the button can easily masquerade as something innocent. Nor is there any indication that a file transfer has occurred before or after the event. This is a major security risk for systems that rely on a password file to control access, because a stolen password file can often be readily cracked.

2. JavaScripts can obtain directory listings of the user's local hard disk and any network mounted disks. This represents both an invasion of privacy and a security risk, since an understanding of a machine's organization is a great advantage for devising a way to break into it.

3. JavaScripts can monitor all pages the user visits during a session, capture the URLs, and transmit them to a host somewhere on the Internet. This hole requires a user interaction to complete the upload, but as in the first example the interaction can be disguised in an innocuous manner.

Nice these tools to make a website "monkey-proof", but is not it time for some decent server-side and client-side validation, a nobler task awaits firms like VeriSign rather  than serving up client-profiles.

polonus
« Last Edit: August 01, 2006, 04:51:58 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34066
  • malware fighter
Re: At what cost?
« Reply #1 on: August 03, 2006, 11:57:42 PM »
Hi malware fighters,

There are free tools available to help users block certain types of Javascript attacks. The NoScript extension for Firefox blocks all scripts by default, allowing the user to turn Javascript back on if they visit a trusted site and want to view content that requires it. But NoScript also remembers which sites the user has selected, and Javascript attacks are increasingly showing up on social-networking sites like Myspace.com and other places that many users implicitly trust.

Another tool I use o is the Netcraft Toolbar, which does a pretty decent job of warning you before the browser loads sites that attempt to use known javascript attack code.

But know for once that these tools are not a comprehensive antiscript shield. "These are all designed to spot the bad sites, not necessarily good sites doing bad things
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »