JavaScript and Flash Pose a Serious Threat to System Security

M J Morshed Chowdhury

One of the most amazing and striking application of technology in this century is the impact of Internet on the human society. During this period web applications have tremendous growth rate and touches almost all walks of life. Introduction of Web 2.0 has facilitates and allows increased user-creator interaction, content syndication, advancements in web-based user interfaces, which ultimately lead to the creation of an entirely new application platform.

Like any other technology, web application also has its weakness. It inherits the security vulnerabilities of open Internet architecture. According to Pete Lindstrom, Director of Security Strategies with the Hurwitz Group, Web applications are the most vulnerable elements of an organization’s IT infrastructure today. An increasing number of organizations depend on Internet-based applications that leverage the power of dynamic and rich content mechanism (e.g., AJAX and Flash). As this group of technologies becomes more complex to allow the depth and functionality discussed, and, if organizations do not secure their web applications, then security risks will only increase. The most striking features of web 2.0 are its ability in harnessing collective intelligence and bringing rich users participation. The web 2.0 has rich applications with features such as user interaction, collaboration and real time communication. To support the synchronous communication AJAX is widely used. Another popular technology for motion picture of video in web space is Flash. Flash also posses few critical security vulnerabilities. If action script in flash is not implemented properly, it can compromise any web application.

A careful analysis of potential attacks against Web services as carried out e.g. by Jensen et al. immediately shows that Web services are very vulnerable especially against DoS attacks. The security issues which are inherent to the Ajax programming model and which especially affect cooperative application have been extensively documented by Michael Sonntag. In recent research it has been shown that scripting vulnerability is higher than any other web application vulnerabilities. It is getting sophisticated day by day and should be addressed from the early development cycles.

Types of Vulnerabilities and Attacks

Current attacks come through many means such as Server-side attacks (Traditional), Browser & Plugin Flaws and Client-side attacks (XSS, CSRF). Many of the current vulnerability countering mechanisms address one or few specific issues.

Browser cache and history are intended to be private in the normal stream, yet it's not difficult for malicious Web sites to "sniff" cache entries on visitors' computers and then use that information to more accurately deceive them. This leads to pose a major un-resolving issue to the research community.

On the Web, scripts embedded in multiple browser windows containing documents from the same Web site (same domain name) are allowed to access data in each other, in order to support multi windowed user interfaces. In an analysis it has been revealed that browser windows could be tricked into trusting at-tack scripts from rogue sites, thus allowing them to access their data. A rogue site could be set up to track all Web-related activity of visitors even after they had left the site, using a Trojan-horse attack.

The tracking provided access to all data typed into forms, including password fields, cookies, and visited URLs. The data was extracted right in the browser, so using a secure encrypted connection to retrieve documents didn't accord the user any extra protection. This browser vulnerability has a serious implication for Web users. Once infected by the Trojan horse, the user's Web interaction is fully exposed to the attacker - every URL retrieved, all data typed into forms - including credit card numbers and passwords, all cookies set by servers accessed etc.

The HTTP protocol supports a facility for authenticating Web users. Many Web-based services however use alternate methods of authorization that provide more flexibility. These methods involve the use of dynamically generated, opaque "session keys" embedded in URLs, in hidden fields of forms or in cookies. The ability of the attack to access such information in an HTML document makes all of these authentication mechanisms susceptible to compromise.

This browser vulnerability also has a serious implication for intranets. Most users use the same browser to access information on the intranet as well as the Internet. A user who has been ‘attacked’ using this vulnerability has essentially compromised the renewal for the duration of the browsing session the Trojan horse is able to extract data from subsequently loaded intranet documents and transmit it to an external entity. Any data that the user enters into forms - ID numbers, vendors and prices, bug reports, passwords and other proprietary information can be relayed to the outside.

ActionScript vulnerabilities are due to various program flow calculating errors in the verification/generation process. ActionScript code is typically compiled into bytecode format called ActionScript Byte Code (ABC). The bytecode verifier is responsible for safety check, making sure there is no type-unsafe operations, stack underflow/overflow, improper array accesses, etc.

Type confusion vulnerability exists in Adobe Flash Player ActionScript Virtual Machine. Specifically, the flaw exists in the implementation of callMethod bytecode command. The bytecode verifier fails to detect the stack misalignment under certain circumstances. An attacker can exploit this vulnerability by enticing a user to visit a crafted web page, open a crafted PDF file or open a crafted Office document; all of which may contain malicious Adobe Flash content. Successful exploitation would allow for arbitrary code execution with the privileges of the currently logged in user.

Suggestion

One of the solutions to combat this security vulnerability is to use HTML encoding. It can be used either on user submitted data in the view or it can be used on user submitted data in the controller.

Another solution could be a safe interpreter. A safe interpreter has the task of isolating scripts from executing any unsafe commands (those that could result in security compromises if misused), thus implementing what is called a padded cell. The interpreter has to implement access control with respect to objects within the script's own context. A safe interpreter has to implement access control, independence of contexts, and management of trust among different contexts. Provision for these components does not realize a particular security policy. Rather, it gives a framework in which a variety of security policies can be easily implemented.

Web 2.0 applications have moved the Internet forward and help fulfill the promise of more interactive functionality and community building. The open nature of Web 2.0 presents significant challenges to the traditional enterprise approach to controlling intellectual property and proprietary content. However, security is not usually considered. The increase in functionality and interactivity has increased the ways in which an application can be attacked successfully.

CJ

....................................................................................................................................................................................................................................


HP Celebrated Bijoy Utsob 2012


‘HP has deep respect on Bangladeshi culture, celebrations and events, thus always HP extends special benefits and promotions for Bangladesh during the celebrations of Bijoy Dibosh, Bangla Noboborsho and Eid.’ said Shabbir Shafiullah, Hewlett-Packard’s Regional Manager of Asia Emerging Countries. In the grand reseller get-together in the occasion of Bijoy Dibosh 2012, he also requested the business partners to uphold our language and culture with utmost respect, as we are the nation who gave lives to establish our language and we had to fight to earn our freedom. More than 200 HP resellers, HP premium partners and HP high officials were present in this event.

Shabbir Shafiullah also said, “HP always invests to invent and develop latest printing technologies. Our HP Bangladesh Team and our HP Business Partners ensures that we introduce and offer these latest technology products in Bangladesh market to give our valued end-user the best printing experience and best value for their money.” He also highlighted the environmental responsibility, Social Citizenship of HP and some other guiding principles that are deeply ingrained in HP values.

This Bijoy Utsob ceremony was hosted by Quazi Shamim Hasan, Trade Marketing Manager, PPS. Sydur Rahman, Market Development Manager, Printing Division, Md. Abdul Munnaf, Enterprise Development Manager, PPS and S.M. Asaduzzaman, Partner Business Manager, PPS were also present at the event.

Sydur Rahman focused on the Ink Advantage Printers. He said, “HP Ink Advantage Printers are built to give one an affordable printing experience.” He described how these Ink Advantages Printers are giving higher quality printing with ultra-low-cost. Sydur also added, “This easy-to-use printer lets one print, scan and copy with minimal fuss. With its simple set-up and intuitive control panel, one can start printing within minutes. With the quality and reliability associated with Original HP inks at such an affordable price, one needn’t consider aftermarket alternatives or competitive printing systems to cut costs.”

S.M. Asaduzzaman highlighted the original HP pirnt cartridges. He requested the partners to highlight ‘why to use original HP print cartridges’ to the end users. He said, “Counterfeit products are highly harmful to the environment. So we should be aware of the counterfeit products.”

Md. Abdul Munnaf focused on latest products of HP specially on multifunction printers and also highlighted the advantages of ePrint technology, auto on-auto off technology and instant on technology.

A cultural program was also arranged to celebrate the Bijoy Utshob 2012 event. Bangali victory theme was reflected by Bijoy theme dances and songs by one of the most popular singer Porshi. The venue was also decorated with victory theme.

Under this promotion customers got the chance to stand gifts includes digital camera, blanket, cup set, HP branded sweater, back pack, mobile holder, colorful mug and wallet with purchase of selected Laserjet, Deskjet, Officejet & All-in-one printers and HP original Laserjet & Inkjet Print Cartridges. Quazi Shamim Hasan briefed the partners regarding gift collection and redemption procedure which will be available in all re-seller outlets. Also the HP reseller outlets in the BCS Computer City, Multiplan Centre and other Computer Markets across the country were decorated with victory day theme posters, banners and buntings. The HP Resellers also distributed Leaflets containing features with victory day theme with selected products in this promotion.

HP Bijoy Utshob road-show with Horse Carriage added extra attraction to this promotion. Many horse carriages were branded by HP promo theme. Road-show was also conducted with branded pickup van. The road-show team visited different areas of the country including IT & other markets, educational institutions and public places to make aware the promo message to the people specially the end users.

Printer of the Year

HP LaaserJet flow MFP525c printer has declared as “Printer of the Year” by Inc’s ‘Best Business Gadgets of 2012’.

Hewlett-Packard (HP), the world’s largest technology company holds #1 position in world-wide market-share for Laser Printers. HP is committed to providing customers with inventive, high quality products and services that are environmentally sound and to conduct operations in an environmentally responsible manner. That commitment continues to be one of the guiding principles that are deeply ingrained in HP values. It is from this history and these values that HP has become a leader in delivery of environmentally sustainable solutions for the common good.

CJ