On Sun, 21 Sep 1997, Wade Hampton wrote:
> Having recently read about the lack of security
> of Active X controls, I was wondering if I could
> get some specifics about its lack of security
> versus the security of JAVA. Also about the
> security of JAVA under Linux.
> I understand that
> MS''s concept of security is a) investigate the
> vendor, b) issue a certificate of authority, 3)
> vendor is now trused to do anything (fox guarding
> the hen house!).
Microsoft never promised to investigate anybody. Proving identity
says nothing about trustworthiness. Code signing provides a measure
of accountability -- though not very much -- but accountability is
only one part of security.
> 1. How insecure is Active X?
Immensely. ActiveX executes native binary code. Within the
limitations of the MMU, this code can scribble all over memory. Since
ActiveX controls execute in the same address space as the browser,
they can overwrite the browser, other ActiveX controls, the
filesystem, and network connections either maliciously or
unintentionally.
In theory, ActiveX controls are restricted by the OS object-level
security of NT. (This is no protection for the majority of people who
use 95, of course.) However, few machines running browsers have
rigorously configured their filesystem or OS permissions, and even
fewer are protected against malicious code executed by the user
themselves.
> 2. How much more secure is Java than Active X
> (active X controls)?
Java has a specified, documented and enforced security model which
restricts the operations which an applet can perform. Amongst
other points:
- Java code is subjected to a verification process to check that
the bytecodes conform to the specification: class access must
be correct, types must be respected, opcodes must be valid, and
so on. ActiveX controls are native machine code and unverifiable:
the browser will happily try to execute garbage and crash.
- Through Java''s SecurityManager interface, user agents can
selectively
impose fine-grained controls on downloaded code, specifying which
files it can read or write, which hosts it can connect to, and so
on. ActiveX controls have full access to the Win32 API -- including
the undocumented bits -- and such control is impossible.
- Java has a well-defined exception model. ActiveX is native code
and uses multiple inconsisten exception-handling models. Hence,
buggy Java code will probably stop and report an exception, buggy
ActiveX code will probably crash the browser.
- You can read and check the Java VM specification, the source of
the SecurityManager, and so on, and satisfy yourself that they
don''t leave any holes. You have to take Microsoft''s word
that
ActiveX is secure.
- Both Java and ActiveX support digital signing to verify the
authenticity and integrity of downloaded code. Java does this
using open standards, ActiveX is proprietary.
You can find more information at
http://java.sun.com/forum/securityForum.html
http://java.sun.com/forum/1.0.2.html
A search on ''ActiveX security'' on www.microsoft.com on 22 Sep
1997 finds
no relevant content that is not password-protected!
> 3. How much more secure is Linux than NT? Than
> Win95?
It depends on the particular machine, and on who you ask. To answer
it in general, I think you have to measure a few different points on
the scale: say, the basic ordinary-user situation, and the paranoid
intelligent user situation.
It''s probably fair to say that Linux installs in a more secure
configuration than NT in most distributions. That is, there are fewer
network bugs, it installs a genuinely secure FS, and at least encourages
you not to run everything as root.
If a knowledgeable person invests the same amount of time in two
systems, I imagine the Linux one would end up more secure. For a
small investment of time and less money one can obtain block-level
filesystem encryption, strong shadowed passwords, one-time passwords,
SSH encrypted remote connections, kernel-level IP firewalling,
trustworthy mail servers, and so on. None or few of these are
available for NT to my knowledge without considerable expenditure, and
in any case the source is not available for perusal or verification.
Although things have quietened down recently, NT was experiencing a
couple of major security bugs per week earlier this year, far more
than Linux. This proves nothing, but it does indicate the amount of
effort required to keep a system secure, and the danger of not
tracking every change.
I haven''t checked recently, but I think the basic services in RedHat
4.2 are free of major problems since it''s release several months ago.
By contrast, the current version of NT available from s/w shops has
catastrophic bugs -- OOB and RPC attacks for example -- which allow
remote unauthorised access or DoS attacks. (I guess after you press a
few zillion CDs you want to sell them all before you start caring
about the fact that people are installing known bugs.)
There is a security vs obscurity questions here, in that you can check
the Linux source to assure yourself of the security model and
implementation. Few people will read the whole thing of course, but
to a technically aware person I think perusing the qmail source
conveys more confidence than any amount of marketing guff.
> 4. What about corporate use of Active X controls
> versus Java on a sensitive Intranet?
If you absolutely trust everyone in your organization -- which is
probably OK up to about fifteen people -- then ActiveX is fine.
(Anyhow, rebooting regularly keeps your computer minty fresh.) If you
think that somebody might install one of the numerous malicious
ActiveX controls on their home page as a prank or attack, then you
should reconsider.
There''s another problem of ActiveX controls coming in from the
Internet onto your public web site, and carrying out sensitive
information. (Remember the MSN installer that uploaded a directory of
their valued customer''s hard disks?)
Apparently some of the firewall/proxy vendors, in response to public
demand, have addded features to block incoming ActiveX controls.
> > I have decided to use Linux for all WWW access,
> via a user account. Any sensitive information I
> have (e.g., financial) resides on a ZIP disk which
> is physically removed from the system when on
> the Internet.
It sounds like a good approach if you can justify the convenience/security
tradeoff.
I''ve heard it suggested, though I''ve never got around to it,
that one
might run Netscape in a chroot jail as nobody.
To be fair, current Java implementation are not as fast as native
code, and can''t access the Win32 API. (You may consider that last one
a feature.) In the short term, there are some situations where Java
is not a good choice. In the medium term, Java will get faster and
more powerful, but ActiveX will never be secure.
(This is perhaps off topic for this list. Maybe we should drop the
thread.)
::Boots
Any weapon must be kept concealed from the attackers view until
the exact moment of its usage -- Mace and Chemical Weapons, www.tscm.com
