Firewall Wizards mailing list archives
Re: Active-content filtering (was RE: Buffer Overruns)
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Mon, 27 Dec 1999 15:17:04 -0500
On Wed, Dec 22, 1999 at 11:04:46PM -0700, Hazel A. Borg wrote:
I am a web developer who took a course in firewalls which opened up my eyes to a whole new world. ... ... No where in my schooling or the references I use in web developing is there a mention of the security problems with JavaScript. All the programs like adobe image ready and macromedia fireworks etc use JavaScript making features as a major selling point in their software. In simple terms what is the major risk with JavaScript? Is there a hacking program out there that uses and writes to the hard drive? ...
I'm not sure that the debate to date has addressed the "newbie" needs. Java and ActiveX, and to a perhaps lesser degree JavaScript, are what are called "active content". They are somewhat general-purpose programming languages. What this means is that you can write just about any programs to do anything in them. Good things. And bad things. This is not necessarily a Bad Thing(tm). Java programs can be compiled and run on my system at work or at home. The problem is, I can then insert a Java (et al.) program in my Web site's pages. The hapless user comes along and reads the page, and the program gets a free ride onto his workstation. If he or she has these things enabled, as is the default for many browsers, then the program is instantly either interpreted or compiled and run ON THE USER'S WORKSTATION. It then can do ANYTHING that it wants. Well, there are caveats. Java has this "sandbox" concept. Supposedly, the person who made the browser was smarter than anybody else in the world, and created a "sandbox" area, within which the Java program can run, and outside of which it may not go. Unfortunately, there is always somebody a little more smarter or devious or just thinking "outside the [sand]box." And the sandbox gets broken out of, and needs to be re- built or re-designed. Yes, the people helping you design the Web sites want you to use active content, for all the reasons previously mentioned. They want you to DEPEND on that active content. And pay them to show you how. So, why should they tell YOU about any security problems that your targeted victims might have because of this? ;-/ There are few people offering the USERS courses at any price in how to avoid it for security's sake. And most of them wouldn't care. ;-( -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 21)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)
- Re: Active-content filtering (was RE: Buffer Overruns) David Lang (Dec 23)
- Re: Active-content filtering (was RE: Buffer Overruns) Hazel A. Borg (Dec 24)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Joseph S D Yao (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Neil Ratzlaff (Dec 22)
- <Possible follow-ups>
- RE: Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Jody C. Patilla (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Dorian Moore (Dec 30)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 30)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)