Firewall Wizards mailing list archives

Re: Active-content filtering (was RE: Buffer Overruns)

From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Mon, 27 Dec 1999 15:17:04 -0500

On Wed, Dec 22, 1999 at 11:04:46PM -0700, Hazel A. Borg wrote:

I am a web developer who took a course in firewalls which opened up
my eyes to a whole new world.  ...
        ...  No where in my schooling or the references I use in web
developing is there a mention of the security problems with JavaScript.
All the programs like adobe image ready and macromedia fireworks etc use
JavaScript making features as a major selling point in their software.
In simple terms what is the major risk with JavaScript? Is there a hacking
program out there that uses and writes to the hard drive?  ...


I'm not sure that the debate to date has addressed the "newbie" needs.

Java and ActiveX, and to a perhaps lesser degree JavaScript, are what
are called "active content".  They are somewhat general-purpose
programming languages.  What this means is that you can write just about
any programs to do anything in them.  Good things.  And bad things.

This is not necessarily a Bad Thing(tm).  Java programs can be compiled
and run on my system at work or at home.  The problem is, I can then
insert a Java (et al.) program in my Web site's pages.  The hapless user
comes along and reads the page, and the program gets a free ride onto
his workstation.  If he or she has these things enabled, as is the
default for many browsers, then the program is instantly either
interpreted or compiled and run ON THE USER'S WORKSTATION.  It then can
do ANYTHING that it wants.

Well, there are caveats.  Java has this "sandbox" concept.  Supposedly,
the person who made the browser was smarter than anybody else in the
world, and created a "sandbox" area, within which the Java program can
run, and outside of which it may not go.  Unfortunately, there is always
somebody a little more smarter or devious or just thinking "outside the
[sand]box."  And the sandbox gets broken out of, and needs to be re-
built or re-designed.

Yes, the people helping you design the Web sites want you to use active
content, for all the reasons previously mentioned.  They want you to
DEPEND on that active content.  And pay them to show you how.  So, why
should they tell YOU about any security problems that your targeted
victims might have because of this?  ;-/  There are few people offering
the USERS courses at any price in how to avoid it for security's sake.
And most of them wouldn't care.  ;-(

-- 
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

Current thread:

Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 21)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)
  - Re: Active-content filtering (was RE: Buffer Overruns) David Lang (Dec 23)
  - Re: Active-content filtering (was RE: Buffer Overruns) Hazel A. Borg (Dec 24)
    - Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
    - Re: Active-content filtering (was RE: Buffer Overruns) Joseph S D Yao (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Neil Ratzlaff (Dec 22)
- <Possible follow-ups>
- RE: Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 26)
  - Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
    - Re: Active-content filtering (was RE: Buffer Overruns) Jody C. Patilla (Dec 28)
    - Re: Active-content filtering (was RE: Buffer Overruns) Dorian Moore (Dec 30)
    - Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 30)
- Re: Active-content filtering (was RE: Buffer Overruns) Ryan Russell (Dec 28)