Security Friday: February 29

Disable ActiveX altogether, advises US-CERT

The U.S. Computer Emergency Readiness Team (US-CERT) has advised users to completely disable ActiveX from their internet browsers owing to vectors that were spotted in many recent web applications including social networking sites Facebook and MySpace.

ActiveX seems to enjoy the status of melting pot of vulnerabilities in the security community. The wide spread adoption of Microsoft’s product adds a lot more to the problems. Its just in the scheme of things that the popular software gets targeted most.

An except from the security article at InfoWorld

“The issue goes beyond ActiveX. Any plug-in architecture that has a lot of users will suffer from these same issues; anything where you have third party developers writing code that runs inside the browser,” said Max Caceres, director of research and development at applications security firm Matasano Security. “As long as developers are building things without putting security at the top of their list of objectives, we’ll have these problems, regardless of the plug-in architecture.”

Cross-browser attack exposes user personal data

A flaw that affects the way in which FireFox and Opera browsers handle images may let an attacker view a users browsing history. Versions 2.0.0.11 of FireFox and 9.50 of Opera are affected by the attack.

An excerpt from the article at TechWorld

A malicious bitmap file can be created that pulls other information from the browsers’ memory. Some of the information that can be captured is random, but at other times could be valuable, the advisory said.

“The harvested data contains various information including parts of other websites, users’ favorites and history and other information,” Vexillium said.

AJAX is super cool but a raises uber concerns on security

And to round off the security article this week, here are some tips for AJAX programmers on what to keep in mind when designing web applications - which is working on a whole slew of new technologies. The article from RegDeveloper brings to focus the point that the more technology you use, more is the increase in the ‘attack surface area’.

To put the points concisely:

Know well the tools that you would use developing AJAX based code. You would not want the security and authentication based code to go over to the client side.
Beware of injection based attacks. Always validate the user input. Demarcate code and data.
Never rely on encoding alone for considering incoming data safe.

An excerpt from the security article

One major security challenge for AJAX applications is that moving your code to the client involves a ton of data formats, protocols, parsers, and interpreters. These include JavaScript, VBScript, Flash, JSON, XML, REST, XmlHttpRequest, XSLT, CSS and HTML in addition to your existing server-side technologies. As if that wasn’t enough, each of the AJAX frameworks has its own data formats and custom framework formats.

Arun on February 29, 2008 Subscribe to our RSS Feed