Page 308 - StudyBook.pdf
P. 308

292    Chapter 5 • Communication Security: Web Based Services

             control without first asking the user’s permission. However, security holes can
             appear if you improperly create or implement an ActiveX control. Controls with
             security holes are called accidental Trojan horses.To this date, there have been many
             accidental Trojan horses detected that allow exploits by hackers.
                 The default setting for Microsoft IE is actually to completely reject any
             ActiveX controls that are unsigned.This means that if an ActiveX control is
             unsigned, it will not even ask the user if he or she wants to install it.This is a good
             default setting, because many people click on dialog boxes without reading them. If
             someone sent you an e-mail with an unsigned ActiveX control, Outlook Express
             will also ignore it by default.


              EXAM WARNING

                  Remember that an applet is a program that has the capability of per-
                  forming malicious activities on your system. The known security vulnera-
                  bilities in Java and ActiveX can be fixed by downloading security-based
                  hot fixes from the browser creators’ Web site.





             Dangers Associated with Using ActiveX
             The primary dangers associated with using ActiveX controls stem from the way
             Microsoft approaches security. By using their Authenticode technology to digitally
             sign an ActiveX control, Microsoft attempts to guarantee the user of the origin of
             the control and that it has not been tampered with since it was created. In most
             cases this works, but there are several things that Microsoft’s authentication system
             does not do, which can pose a serious threat to the security of an individual
             machine and a network.
                 The first and most obvious danger is that Microsoft does not limit the access
             that the control has after it is installed on a local machine.This is one of the key
             differences between ActiveX and Java. Java uses a method known as sandboxing.
             Sandboxing a Java applet ensures that the application is running in its own pro-
             tected memory area, which isolates it from things like the file system and other
             applications.The restrictions put on Java applets prevent malicious code from
             gaining access to an OS or network, and thwarts untrusted sources from harming
             the system.
                 ActiveX controls, on the other hand, have the same rights as the user who is
             running them after they are installed on a computer. Microsoft does not guarantee



          www.syngress.com
   303   304   305   306   307   308   309   310   311   312   313