Re: Are Java and JavaScript really so malicious for Windows system

Lionel Fourquaux wrote:
> "fluidly unsure" <dripping@xxxxxxxxxxxxxx> a écrit dans le message de
> news: XJCjf.25090$dO2.20179@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>> I was referring to ActiveX. Do other browsers have the same
>> capabilities? My experience with Opera is years-old, with Conqueror it
>> is limited, and I have none with Safari. I'm not planning on using Lynx
>> ever again.
>>
>> In FF, software being able to install itself is available, but I haven't
>> heard of that being exploited yet. So far, this feature is more secure
>> than Active X. Who knows what tomorrow will bring.
>
>
> What you call "ActiveX" is simply the ability to extend the browser
> using binary plugins. ActiveX itself is only a very simple interface
> convention used for programming these plugins. Firefox also has binary
> plugins, with a different interface convention, and they have exactly as
> much system access as ActiveX objects.
>
> The main issue with IE here is that many ActiveX objects were marked as
> "safe", then turned out not to be so safe in the end. This is
> increasingly sorted out.
>
>>> Whatever the browser, once you break out of the sandbox, your account is
>>> compromized.
>>>
>>
>> Sounds reasonable, but isn't that an easy task (relatively speaking)
>> in IE?
>

I thought privalege escalation was easier in Windows. At least prior to SP1.

>
> Basically, you are asking "which browser is more secure?". The question
> is too complex for a yes/no answer.
>

I hope not. I try to take the user's needs into consideration. When I'm
asked questions like this I tell the user that the only way to really
secure a machine is to throw it out the window and use a sledge hammer
on the HD.

Personally, I use FF/TB in a limited account for everyday work. I only
use IE in an administrative account when updating the OS/AV/etc, and in
a limited account when visiting eCommerce sites or any important site
that depends on MS's compliance. I never use any other Internet access
in an administrative account.

I advise non-techie users to use IE with SP2 and then I educate them in
"safe hex" practises.

I'm probably going to look again at Opera because it has more control
over the quality of their product and they don't allow third-party
extensions. Proof that closed-source does have some security benefits.

I use many extensions in FF/TB. But I started wondering what my set-up
has resulted in. I assume more capabilites = more code = more potential
flaws = more potential exploits. While I wasn't pleased with the
increased exposure in IE, I realized I was doing the same thing by
putting so many extensions in FF.

I used to think that extensions were safe so far-- no exploits yet. But
then I did some research and found otherwise.

>>> Very difficult registry hack: set the security zone to High for Internet
>>> sites.
>>
>>
>> I didn't say you couldn't get around it, but that it was difficult. The
>> solution you offered is very draconian and will break many web-sites
>> today.
>>
>> Something more targeted like adding specific websites to the
>> trusted/restricted zones is again possible but too difficult for most
>> users.
>>
>> I use Eric Howe's Enough-Is-Enough. It works for both techies like me
>> and end-users who don't want to understand the inner-workings of
>> Windows/IE.
>
>
> It looks like a variation of setting the Internet zone to High, and
> adding sites to the trusted zone, with a user-friendly UI. MS has a
> similar UI here:
> http://www.microsoft.com/windows/ie/previous/webaccess/pwrtwks.mspx
>
> Of course, it's safer, but it's too complicated for most users. Note
> that Firefox, Opera, Safari, etc all enable javascript execution by
> default. IMHO IE with the SP2 and patches is usually good enough from
> the technical point of view, so is Firefox. Neither is perfect, so
> updates are necessary, but many attacks rather use social engineering:
> no matter how secure the browser is, it's meaningless if the users
> download and install random malware (whatever it's packaging, standalone
> program or browser extension).
>

Yes, EiE does use MS's power tweeks. It's just that it is easier to
install. The zones are properly set-up and these power tweeks buttons
are installed. All with about half a dozen keystrokes.

When I think about about how "security is meaningless when the end-user
downloads/installs [and clicks links that might lead to] random
malware", I start thinking about the users who are always contaminating
their machines. But then, we all make mistakes. I doubt if anybody
hasn't been duped at least once. I know there is more than one time I
thought of the potential consequences a moment too late.

>> Please don't take my posts like I'm trying to disrepute you, I want to
>> learn.
>
>
> I'm not taking it ill at all. There are some nonobvious points here, and
> lots of confusion being spread around (not necessarily with malicious
> intent).
>

Thank you.

I was suprised when you started answering question. That is usually a
rare case. It doesn't matter if the questions are intermediate or
"newbie" questions. Many/most people with advanced knowledge seem to
think it is too demeaning for them to answer questions.

So while you are open I'm going to ask you more.

I'm looking for an inexpensive way to set up a Malware laboratory. I
already have network analysis capabilities (3 comps, a hub, Ethereal,
Windump, NetCat).

Now I need to:

1) put programs in a VM sand-box (like JAVA's JVM)
I know about VMWARE but don't have the money right now.

2) put programs in a directory jail (like CHROOT)
I've tried a complicated hierarchical privilege scheme but it was a real
PITA to maintain.

3) get a lite-weight debugging package for w32
I currently use VS6 with symbols installed from MSDN. But I assume it's
footprint would affect some tasks. Would you suggest GDB for windows,
WinDbg from MS, or something else?

Am I missing anything?

--

Liquid
.

Relevant Pages

  • Re: help understanding authentication on workgroups
    ... shared files on the PCs in my workgroup, I don't have any shared files there ... network client services on and print/file sharing on), ... the password for that guest account on that computer, I get access to that PC ... The browser provides visibility. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Lastest Spyware Snot....
    ... Most browsers seem to attempt or actually do send something back to some site somewhere on the first use of the browser. ... If you have a shell account, you can run LINX or LINKS as a text-only web browser and it will be faster than anything but I don't see how any malware can get on your box if you "view" anything from unix clients. ... There are some tricks that can be used with Zone Alarm, but most of the later versions also set up automatic involuntary spyware on your box, too. ... GRC at least in the past would do free probes of your ports and www.securityspace.com would also do free probes of not only your ports but probes for vulnerabilities. ...
    (sci.research.careers)
  • Re: Soymail not working with WASD
    ... A 404 can also indicate the server account does not have permission to access the file entry in the parent directory and therefore does not 'see' it during the directory search. ... Once authentication is going I suspect we may be back to analysing the originally reported 404 error. ... WATCH is a tool that if it doesn't indicate exactly the reason for any given server behaviour usually provides a very good hint. ... which should provide you with a browser username/password dialog box requesting authentication for "SKELKEY". ...
    (comp.os.vms)
  • Re: Marking PDF links
    ... What sort of "automation" are you looking for? ... > somewhere locally a table of extensions. ... > Further the author of the page did not show markup, just styles, other ... Didn't it make you think that perhaps the browser you were ...
    (comp.infosystems.www.authoring.stylesheets)
  • Re: Someone look at this HijackThis log, please?
    ... Of course you'll need a browser to replace it, ... document object modeling as well as any other javascript or activeX ... Getting rid of IE will get rid of this. ... McAfee, you could end up with the gross system instabilities that McAfee ...
    (comp.security.firewalls)