Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.

Similar presentations


Presentation on theme: "Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems."— Presentation transcript:

1 Active X and Signed Applets Chad Bollard

2 Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems  Examples

3 ActiveX ActiveX or ActiveX control Microsoft’s term - Component Object Model (COM) Used extensively in Microsoft Windows platforms especially web-based apps Controls can be a single push-button to complete spreadsheet controls Web developers use (VBScript) to create ActiveX controls

4 ActiveX Cont’d Netscape Navigator doesn’t recognize ActiveX The user's browser downloads ActiveX controls when needed. In this way, ActiveX controls are similar to Java applets. ActiveX security rests on the "Authenticode" system which is a scheme for identifying the authors of ActiveX controls. Security is therefore based on trust. Allows Word and Excel to be viewed directly in browser. MS Office is built in ActiveX components

5 ActiveX Security ActiveX controls are an integral part of systems and applications, and they are required for essential functions in many environments. Only capable in IE browsers Can cause systems to slow down or freeze Unknown downloads Avoiding Internet Explorer and Outlook does not guard you from all attacks based on ActiveX controls. Hacker can embed code to trigger harmful macros

6 Security Cont’d Difficult for system administrators to evaluate the risk presented by a given ActiveX control ActiveX controls share many attributes with ordinary executable files. They run directly on your hardware; they are generally opaque; they are written in a variety of high-level languages; and they vary substantially in functionality, quality, and security characteristics. Can gain access to everything on computer. Preview Pane in Outlook can trigger controls to be run without users knowledge.

7 Active X Security Concerns and Risks Download Concerns—importing and installing controls Execution Concerns—running controls Scripting Concerns

8 ActiveX Benefits and Security Features ActiveX controls promote reuse – reuse controls ActiveX controls are available to meet a wide variety of needs.

9 ActiveX Security Features “Administrator Approved” setting – Within each Internet Explorer security zone there is an option to run only the controls that have been approved by admin Authenticode – This family of technologies is used to digitally sign and verify executable content, and to control the download of code to the workstation Kill bit – The kill bit is a registry value that prevents Internet Explorer from loading an ActiveX control. It cannot be overridden by any security zone configurations.

10 Signed Applets Digitally marked Applets or Classes designating them as trusted pieces of code regardless of their origin or a trusted source Signing is particularly useful in Corporate intranets where you generally have a library of standard programs on a server Normally appear as foreign code to Java, but if signed then these applets can be granted special privileges like file access

11 Signed Applets Can be given more privileges than ordinary applets Digital signature consists of cryptography generated from both the applet to be signed and the private key of the signer

12 Unsigned Applets Operate with a set of restrictions called Sandbox Model.  May prevent applet from performing required operations on local system resources, connecting to web sites, accessing printer, or certain properties on clients computer Signed applets don’t have such restrictions

13 Signed Applets If browser accepts contact with User for Applet it will automatically be downloaded from then on If applet is new and hasn’t established a trust, a security message will be displayed which allows user to confirm consent Applet can be traced back to its source using the digital signature

14 Using Code Signing Features To release the application from the sandbox restrictions imposed on unsigned code To provide confirmation regarding the source of the application code.

15 Example Trying to Write File Trying to Sign Applet

16 Questions ?’s


Download ppt "Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems."

Similar presentations


Ads by Google