Hack the Gibson – Episode #61

Read the reason for these posts. Read Steve Gibson’s response.

And here it an other episode which starts out great and is at average better than the previous episodes, but still some mistakes slip in.

About the new, as of yet unpatched Windows flaw: I couldn’t find any information on it, so I’m not sure which flaw are we talking about, but just so that we all are on the same page: a remotely exploitable flaw is one which (under certain circumstances, like if the vulnerable service is running) can be exploited with zero, I repeat, zero user intervention. So it’s the kind of flaw which made Blaster and Sasser possible. The WMF flaw was not of this kind since it required user intervention (although little). So just that we are clear with our definition: user viewing a webpage doesn’t equal remotely exploitable. Maybe the expression they were looking for was arbitrary code execution.

Now for the main feature: ActiveX scripting. First let me make it very clear, there is no such thing as ActiveX scripting, or at least not in the sense mentioned in the podcast. ActiveX and scripting are two different technologies, although they live in a common environment (the browser) and can interoperate. As proof go to your Internet settings and you’ll see that at the security level you can disable / enable ActiveX or scripting independently. It is true however that at the maximum security level they both are disable.

A short note about the technology used to deliver our e-mails: the method is the following: you write your email, contact your mail server and hand it the mail. Now your mailserver contacts the recipients mails server and hands it the mail. Finally the recipient connects to his mail server and gets the mail. What it comes down to is the fact that the first and the last steps can be secured (by using something like SSL, however there is no standard for encrypting the middle part. The usual analogy used for email is that it’s like a postcard: you can make sure that nobody can look at your post card until you hand it over to the postal service and also the recipient can make sure that nobody can look at it after s/he got it, however neither of you have any guarantees that during transport it wasn’t looked at (although this is highly improbable for the same reason that it’s improbable that somebody would look at your e-mail: because the volume of the traffic).

About data retention: you don’t need to retain the full data stream to have at least some valuable information. You could retain for example retain only the headers of the packets, which would reduce the volume significantly and still give many useful information. Retaining only the headers an compressing can reduce the volume at least 100 times (second hand experience).

Finally a couple of words about javascript & company. This was one of the subjects of my first (unanswered) letter and as you can see from my blog I know a little bit about these technologies (although not about design as I have to admit it :)). The major technologies that augment the plain HTML are: javascript / vbscript / activescript / livescript, Flash, ActiveX and Java. Now it is important to understand that these are independent technologies, developed by independent companies (although they can interoperate at a certain level, they shouldn’t be confused).

The first in the list (and also historically) is javascript. It was developed for Netscape 2.0 I think and was called Livescript, but they finished it around the time Java was coming to the marked so they rebranded it Javascript to catch some of the marketing-wind so to speak which was blowing from Sun (I want to stress again that Javascript and Java have nothing in commong – aside from the name – for example even though they both are object-oriented languages, they use different kind of inheritance model – class based versus prototype based). Then came Microsoft with IE and implemented Javascript in it, but because they were always a big supporters of basic, implemented
vbscript. Now vbscript and Javascript for all intents and purposes are equal (what you can do from one, you can do it from the other, and they can also interoperate easily) with the exception that it only runs in IE (this isn’t as a curiosity as you might think since AFAIK the next version of Firefox will come with Python embedded, so on Firefox you can program in Javascript and Python). All these scripting languages are commonly referred to by Microsoft as Activescript (for example in the security part of the Internet options), not to be confused with Actionscript. Actionscript is a language very similar to Javascript (in fact they are both implementation of the same ECMA standard), the difference beeing that it runs inside of flash files (so if you have Flash installed and you view a page with Flash in it, the given movie can contain Actionscrips). Both of these technologies as well as Java offer a very strong sandboxing solution, so it is very rare that something malicious can be done with them if the security setting are appropriate (there are malware out there which upon execution lowers for example the security level of IE or add certain sites to the list of trusted sites or adds new certificates to the trusted CA database). An ActiveX control on the other hand gives full control (or at least the level of control equal to the account under which IE is running) of the system. This is why it’s important to (a) don’t run as administrator and (b) only install ActiveX controls about which you are 100% sure about. Ideally you should only install the ones required by Windows Update.

Hope this helps a little clearing up the confusion.

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *