Page 317 - StudyBook.pdf
P. 317

Communication Security: Web Based Services • Chapter 5  301

                 and other scripting languages in their e-mail applications, which is a measure that is
                 often overlooked.A lot of people think that if they do not use a Microsoft e-mail
                 application, they are safe. But if an e-mail client is capable of displaying HTML
                 pages (for example, Eudora), chances are they are just as vulnerable using it as they
                 would be using Outlook Express.
                    Developers have the most important responsibility.They control the first line of
                 defense against ActiveX vulnerability.They must stay current on the tools available
                 to assist in securing the software.They must always consider the risks involved in
                 writing mobile code and follow good software engineering practices and be extra
                 careful to avoid common coding problems and easily exploited coding mistakes.
                 But most importantly, they must use good judgment and common sense and test,
                 test, test before releasing the code to the public. Remember, after signing it and
                 releasing it, it is fair game.



                 NOTE
                      Hackers can usually create some creative way to trick a user into clicking
                      on a seemingly safe link or opening e-mail with a title like, “In response
                      to your comments.” Once a Web page is loaded in the browser, or an e-
                      mail is opened or previewed in the e-mail software, scripts, components
                      and applets in the HTML document can be downloaded, loaded into
                      memory, and run. If the code is malicious, and designed to exploit a vul-
                      nerability, any number of issues (inclusive to running remote code) may
                      occur. It is important to be wary of e-mail from unknown users or Web
                      pages that seem to be legitimate, have the latest service patches
                      installed to resolve vulnerability issues, and make sure that security soft-
                      ware on the computer (inclusive to anti-virus software) is up-to-date.






                 JavaScript
                 JavaScript is different from ActiveX and Java, in that it is not compiled into a pro-
                 gram. Despite this, JavaScript uses some of the same syntax and functions as Java.
                 JavaScript is not a full-fledged programming language (as Java is). It cannot create
                 standalone applications; instead, the script typically is part of an HTML document,
                 using the <SCRIPT> tag to indicate where the code begins and to indicate where
                 it ends.When a user accesses an HTML document with JavaScript in it, the code is
                 run through an interpreter.This is slower than if the program were already com-




                                                                              www.syngress.com
   312   313   314   315   316   317   318   319   320   321   322