Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.

Slides:

Advertisements

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Advertisements

In Review JAVA C++ GUIs - Windows Webopedia.com.

Java Applet Security Diana Dong CS 265 Spring 2004.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Chapter Concepts Review Markup Languages

Lecture 2: Do you speak Java?. From Problem to Program Last Lecture we looked at modeling with objects! Steps to solving a business problem –Investigate.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

Introduction to Web Database Processing

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Introduction to Web Interface Technology (CSE2030)

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Distributed System’s Middleware: DCOM's ActiveX versus Java's JavaBeans and CORBA's IIOP.

Information for Developers Windows XP Service Pack 2 Information for Developers.

Computer Security and Penetration Testing

Tutorial 7 Working with Multimedia. XP Objectives Explore various multimedia applications on the Web Learn about sound file formats and properties Embed.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Microsoft ® Official Course Module 9 Configuring Applications.

Configuring the Windows 2000 Environment. Overview Configuring and Managing Hardware Configuring Display Options Configuring System Settings Configuring.

© 2008 The McGraw-Hill Companies, Inc. All rights reserved. M I C R O S O F T ® Preparing for Electronic Distribution Lesson 14.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

INTRODUCTION TO WEB DATABASE PROGRAMMING

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

1 Modular Software/ Component Software 2 Modular Software Code developed in modules. Modules can then be linked together to produce finished product/program.

EDUCATION YOU CAN TRUST ® Windows SharePoint Services Course Review Review provided by: DNS Computing Services, LLC

Masud Hasan Secue VS Hushmail Project 2.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. Code Signing Distributing trustworthy software over the Internet.

| | Tel: | | Computer Training & Personal Development Microsoft Office PowerPoint 2007 Expert.

Web Security Chapter 6. Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates.

Tutorial 7 Working with Multimedia. XP Objectives Explore various multimedia applications on the Web Learn about sound file formats and properties Embed.

Fundamentals of Database Chapter 7 Database Technologies.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

 Evolution of Smart Client  What is Smart client?  Types of Smart client  Architectural challenges  Smart Client Architecture  Demo application.

Security Awareness: Applying Practical Security in Your World Chapter 4: Chapter 4: Internet Security.

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Computer Emergency Notification System (CENS)

Module 7: Managing the User Environment by Using Group Policy.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Module 5: Configuring Internet Explorer and Supporting Applications.

CS 7: Introduction to Computer Programming Java and the Internet Sections ,2.1.

1 World Wide Web Concepts (Chapter 18) 인공지능연구실. 2 목 차  Elements of the Web  Web Browsers  Keeping Tracking of your Favorite Web sites  Security and.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

1 MSCS 237 Overview of web technologies (A specific type of distributed systems)

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

1 Mobile Code l Java Review –Java code is platform independent and runs within a “sandbox”, or a set of restrictions that keep downloaded applets from.

Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the Java Security Model Discuss each of the components.

Java – in context Main Features From Sun Microsystems ‘White Paper’

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

1 CSC160 Chapter 1: Introduction to JavaScript Chapter 2: Placing JavaScript in an HTML File.

Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

ITMT Windows 7 Configuration Chapter 7 – Working with Applications.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

OPERATING SYSTEMS (OS) By the end of this lesson you will be able to explain: 1. What an OS is 2. The relationship between the OS & application programs.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

SECTION 1: Add-ons to PowerPoint

Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.

Amit Kulkarni February 17, 2004

Windows Vista Inside Out

Presentation transcript:

Active X and Signed Applets Chad Bollard

Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems  Examples

ActiveX ActiveX or ActiveX control Microsoft’s term - Component Object Model (COM) Used extensively in Microsoft Windows platforms especially web-based apps Controls can be a single push-button to complete spreadsheet controls Web developers use (VBScript) to create ActiveX controls

ActiveX Cont’d Netscape Navigator doesn’t recognize ActiveX The user's browser downloads ActiveX controls when needed. In this way, ActiveX controls are similar to Java applets. ActiveX security rests on the "Authenticode" system which is a scheme for identifying the authors of ActiveX controls. Security is therefore based on trust. Allows Word and Excel to be viewed directly in browser. MS Office is built in ActiveX components

ActiveX Security ActiveX controls are an integral part of systems and applications, and they are required for essential functions in many environments. Only capable in IE browsers Can cause systems to slow down or freeze Unknown downloads Avoiding Internet Explorer and Outlook does not guard you from all attacks based on ActiveX controls. Hacker can embed code to trigger harmful macros

Security Cont’d Difficult for system administrators to evaluate the risk presented by a given ActiveX control ActiveX controls share many attributes with ordinary executable files. They run directly on your hardware; they are generally opaque; they are written in a variety of high-level languages; and they vary substantially in functionality, quality, and security characteristics. Can gain access to everything on computer. Preview Pane in Outlook can trigger controls to be run without users knowledge.

Active X Security Concerns and Risks Download Concerns—importing and installing controls Execution Concerns—running controls Scripting Concerns

ActiveX Benefits and Security Features ActiveX controls promote reuse – reuse controls ActiveX controls are available to meet a wide variety of needs.

ActiveX Security Features “Administrator Approved” setting – Within each Internet Explorer security zone there is an option to run only the controls that have been approved by admin Authenticode – This family of technologies is used to digitally sign and verify executable content, and to control the download of code to the workstation Kill bit – The kill bit is a registry value that prevents Internet Explorer from loading an ActiveX control. It cannot be overridden by any security zone configurations.

Signed Applets Digitally marked Applets or Classes designating them as trusted pieces of code regardless of their origin or a trusted source Signing is particularly useful in Corporate intranets where you generally have a library of standard programs on a server Normally appear as foreign code to Java, but if signed then these applets can be granted special privileges like file access

Signed Applets Can be given more privileges than ordinary applets Digital signature consists of cryptography generated from both the applet to be signed and the private key of the signer

Unsigned Applets Operate with a set of restrictions called Sandbox Model.  May prevent applet from performing required operations on local system resources, connecting to web sites, accessing printer, or certain properties on clients computer Signed applets don’t have such restrictions

Signed Applets If browser accepts contact with User for Applet it will automatically be downloaded from then on If applet is new and hasn’t established a trust, a security message will be displayed which allows user to confirm consent Applet can be traced back to its source using the digital signature

Using Code Signing Features To release the application from the sandbox restrictions imposed on unsigned code To provide confirmation regarding the source of the application code.

Example Trying to Write File Trying to Sign Applet

Questions ?’s