Dear Contributors
Lots of Windows users have learnt the hard way to sing this tune:
"Everybody Is in Control of My Machine But Me!"
Well, if you consider that it needs only Notepad, as brain damaged as
it
is, to embed J(ava)?Script code into HTML soruce like this:
new aHole = CreateObject("aString");
If you specify aString as "WScript.Shell" you can start any binary,
even if
it is not an *.EXE file, just call rundll(32)?.exe with the appropriate
parameters.
More, you have access to the Registry, you can manipulate at least the
HKCU
branch. It seems that crackers shun away from the big footprint they
leave
there if they put "Mr.Bad.Guy_s.Lair.com" into the ZoneMap and declare
it
belonging to the "MyComputer" zone.
If aString is "FileSystem Object", they can bunker their kid porn etc.
into
%windir%\system32 or some other place below %windir%, as long they
avoid
GIF and JPG extensions, but call it DLL or any other binary system
critical
file type. How few people have a tool that can dig out magic numbers
like
GIF or JFIF of any file. Well, the stuff expected under "/etc/magic"
now
resides under "/usr/share/misc/file/*". The manual tries heavily to
reduce
the trust into the "file" command.
Under Windows, even the Cygwin tools lack that command, FileAlyzer
needs
still development, perhaps some of the proprietary anti-malware
programs
may be able to find disguised pix in places where they don't belong and
can
eliminate them from the DLL cache and any shadow copies.
And, if aString is "WScript.Network", Mr. Bad Guy can wreak havoc
there.
Windows indiscriminately giveth away the full API.
Under *NIX, this is slightly better.
Lots of texts tell you to avoid shell escapes, or any path from
untrusted
input to a member of the exec() call family, including system(). Even
the
environment should be cleared.
Perl and others have already introduced the concept of tainting, and
that
word popped up in your book quite early.
So I hope you'll look hard for back doors in Ruby and the Ruby
community
provides tools for digging them up in Ruby code.
Albeit security is a non-trivial task, it should be made as easy as you
wanted Ruby.
With professional experience in maintaining embedded mission-critical
systems, I am concerned with stability and security, not only Mr. Bad
Guy
abusing the victim's machine as a kid-porn archive, but jumbling up
business records forcing the victim into bankruptcy or prison for tax
fraud.
We should leave insecure setups to the proprietary world, either the
professionals will flock away from proprietary code, or legislation
would
detect that the proprietary world aids and abets electronic crime and
discovers that that can't be disclaimed.
Kind Regards
Norbert Grün (gnor@x-mail.net)
