[4698] in WWW Security List Archive
Re: Big IE hole
daemon@ATHENA.MIT.EDU (Jay Heiser)
Thu Mar 6 19:23:42 1997
Date: Thu, 06 Mar 1997 17:04:44 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Goncalo Valverde wrote:
> Well, but one almost laughs when reading the folowing:
>
> " webmaster would have to create malicious code in order to enable the
> threat."
>
> In the Microsoft comments.. were talking about the Internet, where
> virtualy anybody can put up a web page, and you can bet that there are a
> lot of people that would create malicious code, some of them just for the
> fun of it..
But aren't virtually all computer security incidents anonymous? How
many destructive computer viruses are you aware of that come with the
author's name and phone number? How many people hack into computer
systems and deliberately leave their real name behind?
I expect that we'll see some hostile code attacks (although we haven't
yet), but I don't expect to see anyone doing it in their own front
yard. Attackers will either gain a web presence under an alias (and
have to figure out a way to attract visitors) or hack someone else's
page and insert the attack code.
Unlike viruses and human attacks, hostile applets will be
non-replicating entities unable to migrate away from a specific IP
address. The more people who get hacked, the more likely that the
attack will be discovered and shut down.
> I always thought that Microsoft's security concerns about the exploits of
> ActiveX where laughable (big deal if i know who is the responsible for the
> code, if they gather personal information from my computer and im not
> aware of it), but this brings a whole new dimension to it... (fortunatly
> im using a Linux machine at work, so IE and ActiveX isnt even an option
> :-))
Microsoft seems to have backed off of their claims for ActiveX and is
now longer pushing it as a replacement for Java. They don't recommend
using it w/o a certificate, which isn't really convenient for casual
use. If you want to do business over the web, then you have to trust
your business partners. Microsoft's idea makes more sense for dealing
with known entities on an ongoing basis. I don't see a certificate
infrastructure as being useful for accessing executable content on
anonymous sites -- Java's sandbox model is a better approach for that.
The sandbox model and the certificate model (to hyper simplify a much
longer explanation) have appropriate and inappropriate uses. Don't
throw either approach completely away because neither solves all
problems. MS was probably a bit over enthusiastic at first, but let's
not let personal feelings about Bill Gates affect our ability to make a
rational choice about security models.
>
> --
> This space for sale
--
Jay Heiser, 703-610-6846, jay@homecom.com
HomeCom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
