As always, secure design and architecture are key tomaking sure that none of that information is compromised during theexchange.The next sections provide a basis for understanding and us
Trang 1<pd:ProductName>Product Name F</pd:ProductName>
Trang 2trans-Figure 8.7Products.html
<html>
<head>
<title>Product Listing</title>
<script language="javascript" for="window" event="onload">
var source = new ActiveXObject("Microsoft.XMLDOM");
source.load("products-data.xml");
var style = new ActiveXObject("Microsoft.XMLDOM");
style.load("products.xsl");
document.all.item("display").innerHTML = source.transformNode(style.documentElement);
Trang 3</html>
When all these files are located in the same directory and theHTML file is opened, you will see the output as shown in Figure 8.8
The Risks Associated with Using XML
XML and XSL are very powerful tools, and when wisely wielded cancreate Web applications that are easy to maintain because of the separa-tion of data and presentation.With a little planning, you can reduce the amount of code necessary by compartmentalizing key aspects offunctionality using XML and XSL and reusing them throughout theapplication Along with changing the way your components will com-municate within your application, XML will change the way entitiescommunicate over the Internet
Figure 8.7Continued
Figure 8.8Resulting HTML
Trang 4XML and XSL are open standards.This is one of the reasons whythese standards have become so popular Many times, XML schemas arepublished by organizations to standardized industry- or business-relatedinformation.This is done in the hopes of further automating businessprocesses, increasing collaboration, and easily integrating with new busi-ness partners over the Internet As XML becomes more popular, youwill begin seeing more information being exchanged between businessesand organizations As always, secure design and architecture are key tomaking sure that none of that information is compromised during theexchange.The next sections provide a basis for understanding and usingthe XML encryption and digital signature specifications.
Confidentiality Concerns
The best way to protect data is to not expose it, and let’s face thing you send over the Internet is fair game Although you may feelsafer making a purchase over the Internet with a credit card than whenyour waiter picks up your credit card at the restaurant, a risk is still a risk
it—any-As always when dealing with the Internet, security is an issue, butremember that XML is about data, plain and simple, and XSL is abouttransforming XML—security needs to be carefully implemented in allWeb applications, but it should be implemented in a layer autonomous
to XML and XSL If information is not meant to be seen, it is muchsafer to transform the XML document to exclude the sensitive informa-tion prior to delivering the document to the recipient, rather thanencrypt the information within the document
XSL is a great way to “censor” your XML documents prior todelivery Because XSL can be used to transform XML into anything,including a new XML document, it will allow you to have very granularcontrol over what data gets sent to whom when it is used in conjunc-tion with authentication
If you find yourself adding a username and password element toyour XML, stop If you are encrypting values prior to entering theminto an XML document, stop.Tools already exist that you can use forauthentication, authorization, and encryption.These concepts are inte-gral to Web applications, but at a higher level in the overall architecture
Trang 5Say for example, you had an e-commerce Web site that takes ordersover the Web and then send that order to a fulfillment company viaXML to be packed and shipped Because the credit card needs to bedebited at the time of shipping, you feel it necessary to send the creditcard number to the fulfillment company in the XML document thatcontains the rest of the order information Feeling uncomfortable inexposing that information in clear text, you decide to encrypt the creditcard number within the XML document Although your intentions aregood, the decision has consequences.The XML document no longerbecomes self-describing It has also become proprietary because youneed the encryption algorithm in order to extract the credit cardnumber.This decision reintroduces some of the problems XML wasmeant to eliminate In many of these cases, other solutions exist Onemay be to not send the credit card information to the fulfillment com-pany along with the rest of the order.When the order has been shipped,have the fulfillment company send a shipping notification to your appli-cation and have your application debit the credit card.
Note that not only is your data at risk, but also your code XSL is acomplete programming language, and at times may be more valuablethan the information contained within the XML it transforms.Whenyou perform client-side transformations, you expose your XSL in muchthe same way that HTML is exposed to the client Granted, most ofyour programming logic will remain secure on the server, but XSL stillcomposes a great deal of your application Securing it is as important assecuring your XML
Securing XML
Just as with HTML documents, digital certificates are the best way inwhich to secure any document that has to transverse the Internet Anytime you need to perform a secure transaction over the Internet, a dig-ital certificate should be involved, whether the destination is a browser
or an application Certificates are used by a variety of public key securityservices and applications that provide authentication, data integrity, andsecure communications across nonsecure networks such as the Internet
Trang 6From the developer’s perspective, use of a certificate requires it to beinstalled on the Web server and that the HTTPS protocol is used instead
Having stated our personal opinions on the flaws we see inencrypting XML documents, we must report that the W3C is currentlyworking on a specification for the XML Encryption namespace.Thespecification is currently a working draft focused upon structuringencrypted XML but also upon structuring the information necessary forthe encryption/decryption process.You can find the draft at
0024/01-XMLEncryption_v01.html
http://lists.w3.org/Archives/Public/xml-encryption/2000Dec/att-XML Encryption
The goal of the XML Encryption specification is to describe a digitallyencrypted Web resource using XML.The Web resource can be anythingfrom an HTML document to a GIF file, or even an XML document
With respect to XML documents, the specification provides for theencryption of an element including the start and end tags, the contentwithin an element between the start and end tags, or the entire XMLdocument.The encrypted data is structured using the <EncryptedData>
element that contains information pertaining to encrypting and/ordecrypting the information.This information includes the pertinentencryption algorithm, the key used for encryption, references to externaldata objects, and either the encrypted data or a reference to the
encrypted data.The schema as defined so far is shown in Figure 8.9
Trang 7Figure 8.9XML Encryption DTD
<!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSCHEMA 200010//EN"
http://www.w3.org/2000/10/XMLSchema.dtd [
<!ATTLIST schema xmlns:ds CDATA #FIXED
"http://www.w3.org/2000/10/XMLSchema">
<!ENTITY enc "http://www.w3.org/2000/11/temp-xmlenc">
<!ENTITY enc 'http://www.w3.org/2000/11/xmlenc#'>
<!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
<element ref="xenc:EncryptionMethod" minOccurs=0/>
<element ref="ds:KeyInfo" minOccurs=0/>
<element ref="xenc:CipherText"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
Trang 8<attribute name="Type" type="string" use="optional"/>
<element ref="xenc:EncryptionMethod" minOccurs=0/>
<element ref="xenc:ReferenceList" minOccurs=0/>
<element ref="ds:KeyInfo" minOccurs=0/>
<element ref="xenc:CipherText1"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
<attribute name="NameKey" type="string" use="optional"/>
Trang 9<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
Trang 11The schema is quite involved in describing the means of tion.The following described elements are the most notable of the specification.
encryp-The EncryptedData element is at the crux of the specification It isused to replace the encrypted data whether the data being encrypted iswithin an XML document or the XML document itself In the latter case,the EncryptedData element actually becomes the document root.TheEncryptedKey element is an optional element containing the key that wasused during the encryption process EncryptionMethod describes thealgorithm applied during the encryption process, and is also optional.CipherText is a mandatory element that provides the encrypted data.Youmay have noticed that the EncryptedKey and EncryptionMethod areoptional—the nonexistence of these elements in an instance is the sendermaking an assumption that the recipient knows this information
The process of encryption and decryption are quite straightforward.The data object is encrypted using the algorithm and key of choice.Although the specification is open to allow the use of any algorithm,each implementation of the specification should implement a commonset of algorithms to allow for interoperability If the data object is an ele-ment within an XML document, it is removed along with its content andreplaced with the pertinent EncryptedData element If the data objectbeing encrypted is an external resource, a new document can be createdwith an EncryptedData root node containing a reference to the externalresource Decryption follows these steps in reverse order: Parse the XML
to obtain the algorithm, parameters, and key to be used; locate the data to
be encrypted; and perform the data decryption operation.The result will
be a UTF-8 encoded string representing the XML fragment.This ment should then be converted to the character encoding used in thesurrounding document If the data object is an external resource, then theunencrypted string is available to be used by the application
frag-There are some nuances to encrypting XML documents EncryptedXML instances are well-formed XML documents, but may not appearvalid when validated against their original schema If schema validation
is required of an encrypted XML document, a new schema must be created to account for those elements that are encrypted Figure 8.10contains an XML instance that illustrates the before and after effects of
Trang 12Figure 8.10XML Document to Be Encrypted
Figure 8.11XML Document After Encryption
<xenc:CipherText>AbCd….wXYZ</xenc:CipherText>
</xenc:EncryptedData>
</creditcard>
</customer>
Trang 13The encrypted information is replaced by the EncryptedData ment and the encrypted data is located within the CipherText element.This instance of EncryptedData does not contain any descriptive infor-mation regarding the encryption key or algorithm, assuming the recip-ient of the document already has this information.There are some goodreasons why you would want to encrypt at the element level consideringthe XLink and XPointer supporting standards, which enable users toretrieve portions of documents (though there is a debate as to restrictingencryption to the document level).You may want to consolidate a greatdeal of information in one document, yet restrict access only to a sub-section Also, encrypting only sensitive information limits the amount ofinformation to be decrypted Encryption and decryption are expensiveoperations Although encryption is an important step in securing yourInternet-bound XML, there are times you may want to ensure you arereceiving information from who you think you are.The W3C is also inthe process of drafting a specification to handle digital signatures.
ele-XML Digital Signatures
The XML Digital Signature specification is a fairly stable working draft.Its scope includes how to describe a digital signature using XML andthe XML-signature namespace.The signature is generated from a hashover the canonical form of the manifest, which can reference multipleXML documents.To canonicalize something is to put it in a standardformat that everyone generally uses Because the signature is dependentupon the content it is signing, a signature produced from a non-canoni-calized document could possibly be different from that produced from acanonicalized document Remember that this specification is aboutdefining digital signatures in general, not just those involving XML doc-uments—the manifest may also contain references to any digital contentthat can be addressed or even to part of an XML document
To better understand this specification, knowing how digital tures work is helpful Digitally signing a document requires the sender tocreate a hash of the message itself and then encrypt that hash value withhis or her own private key Only the sender has that private key andonly they can encrypt the hash so that it can be unencrypted using their
Trang 14signa-public key.The recipient, upon receiving both the message and theencrypted hash value, can decrypt the hash value knowing the sender’spublic key.The recipient must also try to generate the hash value of themessage and compare the newly generated hash value with the unen-crypted hash value received from the sender If both hash values areidentical, it proves that the sender sent the message, as only the sendercould encrypt the hash value correctly.The XML specification is respon-sible for clearly defining the information involved in verifying digitalcertificates.
XML digital signatures are represented by the Signature elementwhich has the following structure where “?” denotes zero or one occur-rence, “+” denotes one or more occurrences, and “*” denotes zero ormore occurrences Figure 8.12 shows the structure of a digital signature
as currently defined within the specification
Figure 8.12XML Digital Signature Structure
<Signature>
<SignedInfo>
(CanonicalizationMethod) (SignatureMethod)
(<Reference (URI=)? >
(Transforms)?
(DigestMethod) (DigestValue)
</Reference>)+
</SignedInfo>
(SignatureValue) (KeyInfo)?
(Object)*
</Signature>
Trang 15The Signature element is the primary construct of the XML DigitalSignature specification.The Signature can envelop or be enveloped bythe local data that it is signing, or the Signature may reference anexternal resource Such signatures are detached signatures Remember,this is a specification to describe digital signatures using XML, and no
limitations exist as to what is being signed.The SignedInfo element is the information that is actually signed.The CanonicalizationMethod element
contains the algorithm used to canonicalize the data, or structure thedata in a common way agreed upon by most everybody.This process isvery important for the reasons mentioned at the beginning of this sec-tion.The algorithm used to convert the canonicalized SignedInfo into
the SignatureValue is specified in the SignatureMethod element.The
Reference element identifies the resource to be signed and any algorithms
used to preprocess the data.These algorithms can include operationssuch as canonicalization, encoding/decoding, compression/inflation, or
even XSLT transformations.The DigestMethod is the algorithm applied
to the data after any defined transformations are applied to generate the
value within DigestValue Signing the DigestValue binds resources
con-tent to the signer’s key.The SignatureValue contains the actual value ofthe digital signature
To put this structure in context with the way digital signatures work,the information being signed is referenced within the SignedInfo ele-ment along with the algorithm used to perform the hash (DigestMethod)and the resulting hash (DigestValue).The public key is then passed withinSignatureValue.There are variations as to how the signature can be struc-tured, but this explanation is the most straightforward.There you go—everything you need to verify a digital signature in one nice, neatpackage! To validate the signature, you must digest the data object refer-enced using the relative DigestMethod If the digest value generatedmatches the DigestValue specified, the reference has been validated.Then
to validate the signature, obtain the key information from theSignatureValue and validate it over the SignedInfo element
As with encryption, the implementation of XML digital signaturesallow the use of any algorithms to perform any of the operationsrequired of digital signatures such as canonicalization, encryption, and
Trang 16transformations.To increase interoperability, the W3C does have mendations for which algorithms should be implemented within anyXML digital signature implementations.
recom-You will probably see an increase in the use of encryption and digitalsignatures when both the XML Encryption and XML Digital Signaturespecifications are finalized.They both provide a well-structured way inwhich to communicate each respective process, and with ease of usecomes adoption Encryption will ensure that confidential informationstays confidential through its perilous journey over the Internet, and dig-ital signatures will ensure that you are communicating with whom youthink you are communicating with.Yet, both these specifications havesome evolving left to do, especially when they are used concurrently
There’s currently no way to determine if a document that was signedand encrypted was signed using the encrypted or unencrypted version
of the document.Typically, these little bumps find a way of smoothingthemselves out…over time
NOTE
You can write your own code to perform XSL transformations on the server, or you can use the XSL ISAPI extension to automatically trans- form the XML page that includes a reference to the XSL style sheet.
Some of the advantages to using the ISAPI filter are automatic tion and execution of style sheets on the server, style sheet caching for improved performance, and the option to allow the “pass through” of the XML for client-side processing To learn more about the XSL ISAPI Extension, visit http://msdn.microsoft.com/xml/general/sxlisapifilter.asp.
Trang 17XML is a powerful specification that you can use to describe complexdata and make that data available to many applications XML used withXSL allows for the transformation of that data into any format imagi-nable, including HTML XML schemas define standards that are used totransfer XML documents among business partners Using these tools,you can create Web applications that can be more easily maintained, cansupport a wider variety of browsers, and can communicate with virtuallyany entity on the Internet But, increasing the exposure of your datarequires careful planning as to how to secure that data
The W3C is working hard on specifications to describe encryptionand digital signature techniques Finalization of these specifications willresult in XML parsers incorporating these important security aspectswithin themselves.Widespread adoption of these specifications willincrease the use of these technologies by allowing entities on the Internet
to interoperate smoothly and securely Encryption will ensure that onlythose entities you allow have the ability to decrypt your data, and digitalsignatures will ensure that you are who you say you are, but these are notyour only defenses to ensure the security of you information
As with anything on the Internet, you have to be careful and thinkabout what you are willing to expose to literally everybody Encryptionalgorithms get hacked, so don’t think that your data is safe just because it
is encrypted Be very selective as to what information you make able on the Internet Examine what you are trying to achieve beforerelying on security to protect yourself.There may be other ways toaccomplish what you wish by simply changing your process Programdefensively and trust no one.With these precautions taken, your XMLwill be as secure as anything can be that is on or off the Internet
Trang 18avail-Solutions Fast Track
Defining XML
; XML defines a logical structure used in defining and formattingdata XML’s power lies in its simplicity because it is easy tounderstand, easy to use, and easy to implement
; XSL allows for the transformation of XML into virtually anyformat, including HTML XSL is very powerful being a fullprogramming language and makes it even easier for XML tocommunicate to virtually any entity on the Internet
Creating Web Applications Using XML
; XML and XSL should be used in conjunction with HTML
when creating your Web applications.With these tools, yourWeb applications will be easier to maintain and can support awider variety of browsers
; XML should not only be used in communicating with differententities over the Internet, but should be used as a means ofcommunication within your application also.This provides for
an architecture that is easier to integrate to and easier to extend
in the future
The Risks Associated with Using XML
; Anything and everything on the Internet is vulnerable Exposeonly data and code that is absolutely necessary
; If information is not meant to be seen, it is much safer to
trans-form the XML document to exclude the sensitive intrans-formationprior to delivering the document to the recipient, rather thanencrypt the information within the document
Trang 19; XSL is a complete programming language, and at times may be
more valuable than the information contained within the XML
it transforms.When you perform client-side transformations,you expose your XSL in much the same way that HTML isexposed to the client
Securing XML
; Use existing methods of security to protect your XML HTTPS
works with your XML in the same way it does with HTML
; Try to keep everything on the server Perform your XSL formation on the server, thus only sending HTML or relevantXML to the client
trans-; The goal of the XML Encryption specification (currently inworking-draft form) is to describe a digitally encrypted Webresource using XML.The specification provides for the encryp-tion of an element including the start and end tags, the contentwithin an element between the start and end tags, or the entireXML document.The encrypted data is structured using the
<EncryptedData> element
; The XML Digital Signature specification is a fairly stableworking draft Its scope includes how to describe a digital signa-ture using XML and the XML-signature namespace.The signa-ture is generated from a hash over the canonical form of themanifest, which can reference multiple XML documents
Trang 20Q: How do I know when to use an element versus an attribute whendefining the structure of my XML?
A: It is very hard to define catchall rules to determine when to use anelement versus an attribute Remember though, that you can do verylittle validation with attributes other than making sure that theyexist For the most part, if there is any doubt, use an element todescribe your content
Q: Are there any XML editors out there?
A: Yes, quite a few, one of which is XML Notepad by Microsoft, which
is not very good.The one we personally prefer to use is XML Spy
You may have a little learning curve with the user interface, but it is
by far the best XML editor available when considering the price
Sometimes though, nothing beats Notepad when you need thing down and dirty
some-Q: Do I always have to define a schema for my XML document?
A: No, you don’t always need a schema Schemas are great for when youhave to do validation—typically when exchanging XML documentsover the Internet Performing validation all the time may seem like agreat idea, but it is a very expensive operation that can bog down aWeb server.When shooting out XML to the Web, you typically don’tneed a schema, though it is a great way to document your XML
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the
author, browse to www.syngress.com/solutions and click on the “Ask the
Author” form.
Trang 21Q: How can I use XSL to make my applications completely browserindependent?
A: XSL is a tool you can use to transform XML to HTML.You cancreate several style sheets Each can be especially suited for a partic-ular browser, and depending on the browser of the client, you cantransform the XML using the respective style sheet.This not onlyallows you to support Netscape and Internet Explorer, but also allowsyou to support almost any Internet enabled device from handhelds tocell phones
Trang 22Building Safe ActiveX Internet Controls
Solutions in this chapter:
■ The Dangers Associated with Using ActiveX
■ Methodology for Writing Safe ActiveX Controls
■ Securing ActiveX Controls
; Summary
; Solutions Fast Track
; Frequently Asked Questions
Chapter 9
371
Trang 23ActiveX controls are Microsoft’s implementation of the ComponentObject Model (COM) Microsoft designed ActiveX to replace the olderObject Linking and Embedding (OLE) model that was used in earlierversions of the Windows platform ActiveX is an improvement on OLE
in that it adds extensibility to the model and allows for distributed puting (DCOM) as well as better performance in local applications.ActiveX controls are commonly written in either Visual Basic or C++.ActiveX controls are apparent throughout the Windows platform andadd many of the new interactive features of Windows-based applications,and especially Web applications.They fit nicely into HTML documentsand are therefore portable to many systems ActiveX controls can beused in applications to perform repetitive tasks or invoke other ActiveXcontrols that perform special functions Once an ActiveX control isinstalled, it runs automatically and does not need to be installed again As
com-a mcom-atter of fcom-act, com-an ActiveX control ccom-an be downlocom-aded from com-a distcom-antlocation via a URL link and run on your local machine over and overwithout having to be downloaded again.This allows ActiveX controls to
be activated from Web pages
The security issues involving ActiveX controls are very closelyrelated to the inherent properties of ActiveX controls ActiveX controls
do not run in a confined space or “sandbox” as Java applets do, so theypose much more potential danger to applications Also, ActiveX controlsare capable of all operations that a user is capable of, so controls can add
or delete data and change the properties of objects Even thoughJavaScript and Java applets seem to have taken the Web programmingcommunity by storm, many Web sites and Web applications still employActiveX controls to service users
As evidenced by the constant news flashes about compromised Websites, many developers have not yet mastered the art of securing theircontrols, even though ActiveX is a pretty well-known technology.Thischapter serves to aid you in identifying and averting some of the securityissues that may arise from using poorly coded ActiveX controls (many ofwhich are on the Internet—freely available for download).We will banish
Trang 24common misconceptions about ActiveX and introduce you to best tices for rendering safe, secure, and functional ActiveX controls.
prac-Dangers Associated with Using ActiveX
The primary dangers associated with using ActiveX controls stem fromthe way Microsoft approaches security By using their Authenticodetechnology to digitally sign an ActiveX control, Microsoft feels they canguarantee to the user where the control came from and that it has notbeen tampered with since it was created In most cases this is true, but
there are several things that Microsoft does not do, which poses a serious
threat to the security of your individual machine and your network.Thefirst and most obvious danger is that Microsoft doesn’t limit the accessthat the control has after it is installed on your local machine.This is one
of the key differences between ActiveX and Java Java uses a method
known as sandboxing By sandboxing a Java applet, you ensure that the
application is running in its own protected memory area, which isolates
it from things like the file system and other applications.This puts someserious limitations on what you can do with a control ActiveX controls,
on the other hand, have the same rights as the user who is running themafter they are installed on a computer Microsoft also does not guaranteethat the author is the one using the control, or that it is being used inthe way it was intended, or on a site or pages that it was intended for
Microsoft also can not guarantee that the owner of the site or someoneelse has not modified the pages since the control was put in place It isthe exploitation of these vulnerabilities that poses the greatest dangerassociated with using ActiveX controls
For example, Scriptlet.Typelib is a Microsoft ActiveX control thatdevelopers use to generate Type Libraries for Windows Script
Components (WSCs) One of the functions of this control is that itallows files to be created or modified on the local computer Obviously,this is an ActiveX control that should be protected from untrusted pro-grams According to The CERT Coordination Center (CERT/CC), thiscontrol is incorrectly marked as “safe for scripting” when it is shipped
Trang 25with Internet Explorer versions 4.0 and 5.0 As a result, a hacker couldwrite malicious code to access and execute this control without youever knowing that it has happened.Two well-known viruses exploit thisvulnerability: kak and BubbleBoy Both are delivered through HTMLformatted e-mail and affect the Windows Registry and other systemfiles Microsoft issued a patch for both viruses in 1999.
Because Scriptlet.Typelib is marked “safe for scripting,” the defaultsecurity settings of Internet Explorer, Outlook, and Outlook Expressallow the control to be used without raising any security alerts.The kakvirus uses this security hole in an attempt to write an HTML
Application (HTA) file into the Windows startup directory Once there,kak waits for the next system startup or user login.When this happens,the virus can go back to work and cause its intended damage It thengoes through a series of writing and modifying several files.The endresult is that you end up with a new signature file that attaches itself toall outgoing messages and includes the virus (see Figure 9.1).This is themethod that kak uses to propagate itself
Figure 9.1Microsoft Outlook Express Options Dialog Box
Trang 26The final insult comes when the day of the month and current hourare checked If it is 6:00 P.M or later on the first day of any month, kakdisplays a dialog box saying “Not Today” (see Figure 9.2); when thisdialog box is closed, kak calls a Win32 API function causing Windows toshut down Because this code is in the HTA file that runs at each startupand login, restarting an afflicted machine at or after 6:00 P.M on the firstday of any month results in the machine starting up, displaying the “NotToday” message, then shutting down.With the ability to create or
modify files and make registry entries and API calls, you can see howdangerous this control could be
Avoiding Common ActiveX Vulnerabilities
One of the most common vulnerabilities with ActiveX controls has to
do with the programmer’s perception, or lack thereof, of the capabilities
of the control Every programmer that works for a company or sulting firm and writes a control for a legitimate business use wants hiscontrol to be as easy to use as possible He takes into consideration theintended use of the control, and if it seems OK, he marks it “safe-for-scripting.”This is a double-edged sword.Without marking it “safe,” youare inundated with warnings and messages on the potential risk of using
con-a control thcon-at is not signed or not mcon-arked con-as scon-afe Depending on thesecurity settings in your browser, you may not be allowed to run it at all(see Figure 9.3) After it is marked as safe, other applications and controlshave the ability to execute the control without requesting your approval
You can see how this situation could be dangerous A good example ofthe potential effects of ActiveX is the infamous Windows Exploder con-trol.This was a neat little ActiveX control written by Fred McLain(www.halcyon.com/mclain/ActiveX) that demonstrates what he calls
Figure 9.2HTML Application Dialog Box
Trang 27“dangerous” technology All his control does is perform a clean down and power-off of the affected Windows system Now this does notseem so bad, and no, it was not written that way by mistake, but it defi-nitely helps get the point across.You have to be careful with ActiveXcontrols.You have to know everything your control is capable of beforeyou release it.
shut-Another problem that arises as a result of the lack of programmerconsideration is having a control misused and at the same time takingadvantage of the users’ privileges Just because you have a specific use inmind for a control does not mean that someone else cannot find a dif-ferent use for the control Someone out there will always be less trust-worthy than you and will try to exploit your creativity.Take intoconsideration the Scriptlet.Typelib example in the previous section.Theprogrammers at Microsoft knew that their control worked fine creatingType Libraries for WSCs, but they never considered that someone mightuse their control to write HTA files or make registry modifications.Another common vulnerability in ActiveX controls is releasing ver-sions that have not been thoroughly tested and contain bugs One spe-cific bug that is often encountered in programs written in C++ is the
buffer overflow bug.This occurs when you copy a string into a
fixed-length array and the string is larger than the array.The result is a bufferoverflow and a potential application crash.With this type of error, thekey is that the results are unpredictable If you are lucky, you may get anEvent Detail box (see Figure 9.4).The buffer overflow may just printunwanted characters on your screen, or it may kill your browser and inturn lock up your system.This problem has plagued the UNIX/Linuxworld for years, but recently has become more and more noticeable onthe Windows platform If you browse the top IT security topics atMicrosoft TechNet (www.microsoft.com/technet/security/current.asp),
Figure 9.3Microsoft Internet Explorer Alert
Trang 28you may notice that one or more issues involving this type of error arefound monthly.This is not exclusively a Microsoft problem, but it affectsalmost every vendor that writes code for the Windows platform.Toillustrate how far-reaching this type of problem is, in a recent reportfound on the secureroot Web site (www.secureroot.com), Neal Krawetzreported that he had identified a buffer overflow condition in theShockwave Flash plug-in for Web browsers He states, “Macromedia’sWeb page claims that 90 percent of all Web browsers have the plug-insinstalled Because this overflow can be used to run arbitrary code, itimpacts 90 percent of all ‘Web’ enabled systems.” Now that’s a scarythought! Although this is a very widespread type of error, the solution issimple:Take the extra time required to do thorough testing and ensurethat your code contains proper bounds checking on all values thataccept variable length input.
Another vulnerability occurs in using older, retired versions of ActiveXcontrols Some may have had errors, some not Some may have beenchanged completely or replaced for some reason After someone else has acopy of your control, you can’t guarantee that the current version will be
Figure 9.4Windows Error Event Detail Box
Trang 29used, especially if it can be exploited in some way Although you will get
an error message when you use a control that has an expired signature, alot of people will install it anyway just because it still has your name on it(see Figure 9.5) Unfortunately, there is no way to prevent someone fromusing your control after you have retired it from service After you signand release a control that can perform a potentially harmful task, itbecomes fair game for every hacker on the Internet In this case, the bestdefense is a good offense.Thorough testing before you release your con-trol will save you later
As a user, you should also be on the offensive Never install a controlthat’s unsigned or one that has an expired signature.The potential harmfulresults are countless After you install them, ActiveX controls have the samerights that you do and can perform the same tasks that you can.They can
do everything from sending sensitive data as an e-mail attachment to
calling a shell command such as delete If you do decide to install an
unsigned or expired control, be sure that you understand the risks
Lessening the Impact of ActiveX Vulnerabilities
ActiveX vulnerability is serious business for network administrators,
Figure 9.5Security Warning for Expired Signature
Trang 30managed ActiveX controls can be devastating; for others, it is never takeninto consideration.You can put policies in place that will disallow theuse of all controls and scripts, but this has to be done at the individualmachine level, and it takes a lot of time and effort to implement andmaintain.This is especially true in an environment where the users aremore knowledgeable on how to change browser settings Other optionscan limit the access of ActiveX controls, such as using firewalls and virusprotection software, but the effectiveness is limited to the obvious andknown Although complete protection from the exploitation of ActiveXvulnerabilities is difficult—if not impossible—to achieve, users fromevery level can address several issues to help minimize the risk.
Protection at the Network Level
As a network administrator, the place to start is addressing the differentsecurity settings available through the network operating system
■ You can use options like Security Zones and Secure SocketLayer (SSL) protocols to place limits on controls
■ You have access to the CodeBaseSearchPath in the system istry, which controls where your system will look when itattempts to download ActiveX controls
reg-■ You have the Internet Explorer Administration Kit (IEAK),which can be used to define and dynamically manage ActiveXcontrols
Although all of these are great, you should also consider menting a firewall Some firewalls have the capability of monitoring andselectively filtering the invocation and downloading of ActiveX controls
imple-Some do not, so be aware of the capabilities of the firewall you choose
Protection at the Client Level
As an end user, one of the most important things you can do is to keepyour operating system with all its components and your virus detectionsoftware current Download and install the most-current security patchesand virus updates on a regular basis Another option for end users as well
Trang 31as administrators is the availability of Security Zone settings in InternetExplorer, Outlook, and Outlook Express.These are valuable securitytools you should use to their fullest potential.
Setting Security Zones
Properly set Security Zones can dramatically reduce your potential nerability to ActiveX controls.There are five Security Zones: LocalIntranet zone,Trusted Sites zone, Restricted Sites zone, Internet zone,and My Computer zone.The last zone, My Computer, is only availablethrough the IEAK and not through the browser interface If you do nothave access to the IEAK, you can also access the Security Zone settingsthrough the [HKEY_CURRENT_USER\Software\Microsoft\
vul-Windows\CurrentVersion\Internet Settings\Zones] registry key.Theappropriate settings for this key are shown in Table 9.1
Table 9.1Security Zone Settings in Internet Explorer, Outlook, and Outlook Express
Registry Key Setting Security Zone
Complete the following steps to modify the Security Zone settings
through Internet Explorer 5.x:
1 From the Tools menu, select Internet Options.The Internet
Options dialog box appears
2 Select the Security tab.The Security Options panel appears.
3 Select the zone you wish to change For most users, this is the
Internet zone, but depending on your circumstances, you may
need to repeat these steps for the Local Intranet zone as well.