Java, JavaScript and ActiveX
Java, JavaScript and ActiveX
Configuring Cisco Denial of Service Security Features - Part 1
Configuring Cisco Denial of Service Security Features - Part 2
Dysfunctional Controls: Useless, Impractical, Inefficient and Poorly-Designed
What is Java, JavaScript and ActiveX? This is a question I frequently answer in courses. Well, this is a complex question, but let's take a superficial look.
Sun's Java, Netscape's JavaScript, or Microsoft's ActiveX add live content to Web presentations, enabling Web pages to look and act like desktop applications. When your browser is running one of these programs, it comes alive with active content, going far beyond standard HTML.
Java programs download from a server similar to a Web page. When they're received by your computer, your browser starts an interpreter that executes the program. Java restricts these programs to a sandbox where they can use the screen and computer power of your computer. Supposedly, they can't get to your files, or to other computers on your network.
However, rogue Java applets can monopolize or exploit your system's resources in an annoying, inappropriate, or destructive manner, largely by consuming your computer's system resources.
JavaScript, essentially a subset of Java, is a scripting language designed for use by non-programmers. Unlike Java, which requires a compiler to produce an executable program, JavaScript is written in text that remains on a Web page. It's hidden from view, but executes when someone accesses the page with a JavaScript-capable browser.
In contrast to hostile Java applets, malevolent JavaScript code frequently poses a threat. Malicious JavaScripts can track you, read your files and directory listings, send file information back to a Web server, detect your e-mail address surreptitiously, or originate e-mail messages without your knowledge.
ActiveX encapsulates programs for sending over the Internet. Unlike Java, ActiveX programs can access your computer's file system. Microsoft recognized users would balk at downloading programs that could erase their hard drives, so they developed Authenticode. When you're about to download an ActiveX control, Microsoft Internet Explorer displays a warning, and shows you the Authenticode certificate. Should the control have no certificate, you see a warning message. A certificate doesn't ensure the program is safe; it just says where it comes from.
Malicious ActiveX control can read, modify, or delete any file on your computer, or insert a virus into your system.
Should you disable ActiveX, Java and JavaScript? Empirically, there's no evidence—as yet—that anyone has suffered serious losses of data or privacy because of these features. But, they introduce new possibilities for attack and intrusion. Here, then, are some preliminary thoughts on controlling them.
-
Choose Help | About Internet Explorer or Help | About Netscape to verify the version you're using. If you're still using Internet Explorer 3.0 or any version of Netscape 2.0, upgrade to the latest version.
-
Avoid beta versions of any Web browser. Besides the obvious risk that these untested programs might crash your system, they also might contain security flaws.
-
If you're using Netscape 3.0, choose Options Security Preferences, click the General tab, and enable the Submitting a Form Insecurely option. Then Netscape will display a confirmation box before sending e-mail, so you can prevent an e-mail message from being sent without your knowledge.
-
As JavaSoft's documentation suggests , you "must be wary of executing any code that comes from untrusted sources." Use Netscape's new Communicator to set preferences allowing you to authenticate Java applets. If you're using Microsoft Internet Explorer 3.0, set the security level to High. This ensures no active content is downloaded without your approval. To set the safety level to High: Choose View Options, and click the Security tab. From the Active Content area, click the Safety Level button, click High, and then click OK until you see Internet Explorer again.
-
To disable Java, JavaScript, or both: From the Options menu, choose Network Preferences, click the Languages tab, deselect the Enable Java and Enable JavaScript check boxes, and click OK.
-
To disable Java, JavaScript, and ActiveX in Internet Explorer 3.0: Choose View Options and click the Security tab and deselect all options from the Active Content area.
As each revelation of Java, JavaScript and ActiveX flaws becomes known, vendors promptly develop and release fixes. The challenge then is to be aware of these flaws and their fixes. Of course, you should start by exploring Microsoft, Sun and Netscape. Also, surf on over to Princeton University, RST Corporation, Open Software Foundation, and Halcyon. You also might want to examine the FAQs at MIT, Sun, and PenceLand. Well there, that should get you started.