Part II: User Safety
Chapter 2. The Buggy Browser: Evolution of Risk
2.2 Data-Driven Attacks
It is possible for an attacker to give malicious data to a normally well-behaved application to produce undesirable results.
Consider the case of a user who has not followed our advice in the previous section and has set up Microsoft Word as a helper application for files ending in the letters ".doc". Normally there will be no problem at all. But if the unsuspecting user tries to download a particular Microsoft Word file, his computer might become infected with a virus. Or consider a user who is still using Version 3.0 of Microsoft's Internet Explorer - the one with the big security hole. Normally this user will have no problems. But one day, he may chance upon a web page that exploits the bug and erases all of his files.
These sorts of attacks are called data-driven attacks, because the type and nature of the attack is determined by data that is downloaded to the user's computer. Most Internet-based attacks are in fact data-driven attacks because they rely on downloading malicious data, rather than programs, to the victim's computer.12
The remainder of this section looks at a variety of data-driven attacks. 2.2.1 Social Engineering
One of the simplest and most effective data-driven attacks is to give the user a message asking him to do something that is unsafe. These attacks are effective because most users are conditioned to follow whatever instructions appear on the computer screen. One unfortunate result of the web's ease of publishing is that attackers can publish information as easily as legitimate data providers can.
Here are some types of messages that an attacker might wish to display on a user's screen:
•
"There is a problem with your account. Please change your password to NowSafe and await further instructions."•
"There is a problem with your account and we are unable to bill your credit card. Please enter your credit card number and expiration date in the spaces below and click the SUBMIT button."•
"We have detected that you are running an out-of-date version of this web browser software. Please click on this URL to download a new version of the software, then run the program called SETUP.EXE to install it."Recent trends in web extensibility - languages like JavaScript - make it even easier for an attacker to display messages on the computer's screen and make the messages appear to come from legitimate sources. Consider the pop-up window shown in Figure 2.1. This window can ask the user for his or her dial-up password, then send that password to somebody else on the Internet. Although this window looks quite official, it was actually produced by this piece of JavaScript:
<script>
password = prompt("Please enter your dial-up password",""); </script>
There is no good solution for social engineering attacks other than education. For example, in 1995 America Online modified the interface of its email system software so that the message "Reminder: AOL staff will never ask you for your password or billing information" would constantly be displayed (see Figure 2.2). AOL added this message after a number of social engineering attacks in which attackers asked AOL members for their passwords and credit card numbers, and frequently were rewarded by users who were all too trusting.
Figure 2.2. America Online's email client warns users not to provide their passwords
Education can be extremely expensive. While AOL's solution is interesting, the general applicability of this technique remains to be seen.
2.2.2 Bug Exploitations
Browsers have bugs. Many browser bugs are data-dependent. An attacker with knowledge of these bugs can force a browser to misbehave in a specific manner.
The most common way for a browser to fail is for it to crash. On a computer without memory protection, a browser crash can take down the entire computer, creating an effective denial-of-service attack. For example, one bug we know about in the Netscape Navigator HTML layout engine could be exploited in Navigator Versions 1, 2, and 3. The bug causes Navigator to allocate gigabytes of memory, causing Navigator to crash on every platform. On some platforms, the attempt by Navigator to allocate large amounts of memory caused the entire computer to crash.
Crashes are not the only way that a browser can fail. If you are really good, you might be able to make a browser fail in such a way that a buffer variable overwrites the program's stack. When the program returns from a function, the contents of the buffer might be executed as program code. This is the sort of technique that was used in 1988 by the Internet Worm. Other attacks have also used this technique as well.
2.2.3 Web-Based Programming Languages
Web-based programming languages such as Java and JavaScript can also be used to attack users. Sometimes these attacks are the result of fundamental flaws in the language design. Other times the attacks are made possible by flaws in a particular implementation. These dangers are discussed in detail in the following chapters.