Java and .NET security

posted onNovember 1, 2004
by hitbsecnews

Note: This article first appeared on our affiliate site EBCVG. The original article can be found here

By: Fernando de la Cuadra

SUN Microsystems Java and Microsoft's .NET platforms are no more than programming languages that exploit network potential with the idea that the same software should function on different platforms. Both systems are centered around the principle of running software that doesn't reside on the client machine to provide greater functionality or faster execution, saving connection time and improving public perception of the server to which the client connects.

Any kind of program code can carry malicious elements such as viruses, Trojans, etc. To avoid this certain strategies exist, which at first glance might seem to be useful. In the case of Java, instructions are executed in 'sandboxes' to avoid outside interference with the system. For example, a Java applet can't read, write, delete or rename client files, load libraries, create security managers nor specify any network control functions. In theory, given the limitations that are imposed on Java applets, any client computer should be safe when dealing with a Java service.

However, the Java platform is not quite as perfect as one might imagine. A hacker with some knowledge of programming or of Java file formats could easily enter, delete or modify content within Java applets and by-pass 'sandbox' security. Each new browser version includes new and safer Java support, but it is still impossible to be 100% certain.

In response to the Java system, Microsoft developed a system for executing code on client machines. ActiveX, as the system is called, is similar to Java in terms of its objectives, albeit with less security. The control over what ActiveX can do depends not on a preset security system like the Java 'sandbox' but on the acceptance or refusal of the downloaded control by the user. Yet leaving the security of server connections in the hands of the user is not an ideal situation either...

Microsoft's next step was to develop the .NET platform. This system is based on pre-compiled code, which adapts to the system making the request when the connection is made and is run on the server. In this way the computers that connect to the server don't need to download or run code. As opposed to Java or ActiveX, the code is run on the server, not the client. Although this is an improvement in terms of security, it can also produce problems, as was demonstrated by the appearance of the W32/Donut virus. This malicious code was nothing more than a laboratory guinea pig, but it drew attention to the fact that Microsoft ".NET" is susceptible to virus infection.

What this really shows is that it is impossible to guarantee the security of new platforms. With each new operating system, each new application, each new innovation there is always the chance that a new 'hole' will appear to facilitate attacks on end users.

Software developers are conscious that possible security flaws are a fact, and they are more than aware that they are up against people whose only aim is to defeat security systems for the sake of destruction. For this reason, quality control departments at software companies must constantly put themselves in the shoes of the attackers.

The biggest problem lies not with the discovery of security holes or the creation of a new virus, but in the ability (or lack of it) of users to apply the patches produced by developers. Not all companies have IT departments constantly on the lookout for service packs. Even when a company has a systems department, there are often too many urgent jobs to leave time to deal with some of the most important security measures.

The problem exists, and it won't go away by ignoring it. We are surrounded by companies dedicated to investigating system security and providing turnkey solutions. If your company can't stop working, then your IT systems can't either, especially not because of security problems. These matters should be left to security experts who can assess a companies weaknesses and its precise needs. If antivirus protection is left to professionals, who update protection daily without you having to lift a finger, why don't you do the same with other IT security systems?

With these services on hand, a problem in critical platforms will be no more than a mere anecdote.

1.) An analysis of JB's Anti-GRC worm - Obscure
2.) Baselining with Microsoft Security Templates - WindowSecurity Staff
3.) A Guide To A New Generation Of Phreaking (Part 2) - decimalz
4.) Java and .NET security - Fernando de la Cuadra
5.) Phreak interviews Avatar235 - decimalz
6.) Securing the (Increasingly) Mobile Client - James L. Bindseil
7.) How Spyware And The Weapons Against It Are Evolving - Brien Posey

Source

Tags

Articles

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes

Simplenews subscription

Stay informed - subscribe to our newsletter.
The subscriber's email address.
Keeping Knowledge Free for Over a Decade

Copyright © 2018 Hack In The Box. All rights reserved.

36th Floor, Menara Maxis, Kuala Lumpur City Centre 50088 Kuala Lumpur Malaysia
Tel: +603-2615-7299 Fax: +603-2615-0088