18.5.1 Executing Code from the Net

Most Web browsers can be configured so that certain "helper" applications are automatically run when files of particular type are downloaded from the net. Although this is a good way to provide extensibility, you should not configure your Web browser so that programs downloaded from the net are automatically executed. Doing so poses a profound risk, because it provides a way for outsiders to run programs on your computer without your explicit permission. (For example, a program could be embedded in an HTML page as an included "image.")

In particular:

• Do not configure /bin/csh as a viewer for documents of type application/x-csh . (The same is true with other shells.)

• Do not configure your Web browser to automatically run spreadsheets or word processors, because most spreadsheets and word processors these days have the ability to embed executable code within their files. We have already seen several reported viruses that use Microsoft Word macros to spread.

The exception to these hard and fast rules may be the Java programming language. The creators of Java have gone to great lengths to make sure that a program written in Java cannot harm the computer on which it is running. Whether or not the creators are correct remains to be seen. However, we have our doubts based on past experiences with complex software. As this book goes to press, there is no indication that Java has any significant protections against denial of service attacks. Also, as this book goes to press, several serious security bugs in Sun's and Netscape's implementations of Java have been reported.

18.5.2 Trusting Your Software Vendor

Most users run Web browsers that are provided by third parties with whom the user has no formal relationship or signed contract. Instead, users are asked to click buttons that say " ACCEPT " to signify their acceptance of the terms of a non-negotiable license agreement. These license agreements limit the liability of the companies that distribute the software.

Individuals and organizations using such software should carefully read the license agreements. They rarely do. In particular, consider these two clauses in the Netscape Navigator 2.02b license. Interestingly, these are the only two paragraphs of the Netscape license agreement that are in all capital letters. They must be important

2. NETSCAPE MAKES NO REPRESENTATIONS ABOUT THE SUITABILITY OF THIS SOFTWARE OR ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY THE SOFTWARE, FOR ANY PURPOSE. THE SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. THIS SOFTWARE IS PROVIDED GRATUITOUSLY AND, ACCORDINGLY, NETSCAPE SHALL NOT BE LIABLE UNDER ANY THEORY FOR ANY DAMAGES SUFFERED BY YOU OR ANY USER OF THE SOFTWARE. NETSCAPE WILL NOT SUPPORT THIS SOFTWARE AND WILL NOT ISSUE UPDATES TO THIS SOFTWARE.

9. NETSCAPE OR ITS SUPPLIERS SHALL NOT BE LIABLE FOR (a) INCIDENTAL, CONSEQUENTIAL, SPECIAL OR INDIRECT DAMAGES OF ANY SORT, WHETHER ARISING IN TORT, CONTRACT OR OTHERWISE, EVEN IF NETSCAPE HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR (b) FOR ANY CLAIM BY ANY OTHER PARTY. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU.

What these paragraphs mean is that Netscape Communications disclaims any liability for anything that its Navigator software might do.[5] This means that the Navigator could scan your computer's disks for interesting information and send it, encrypted, to a Netscape Commerce Server, when it is sent an appropriate command. We don't think that Navigator actually has this code compiled into it, but we don't know, because Netscape has not published the source code for either its Navigator or Commerce Server. (Netscape is not alone in keeping its source code secret.)

[5] We don't mean to pick on Netscape here. Other software comes with similar license agreements. Netscape is used merely as an illustrative example because of its popularity when this book was being written.

We do know, however, that users have reported some security lapses in 2.0beta Navigator having to do with Netscape's Live Script, renamed Java Script, programming language. A feature in a beta version of the browser allowed any server to query the Web browser for the list of URLS that had been visited by the user.[6] As URLS can contain passwords, this posed serious security issues. Although this feature has been taken out of Navigator, it is possible that it could be reintroduced in the future through the use of a programming language such as Java.

[6] This was reported by Scott Weston on the comp.privacy Usenet newsgroup on December 1, 1995.

Indeed, programming languages such as Java create a whole new layer of security issues. Java is a programming language that is designed to allow the downloading of applications over the World Wide Web. Java is designed to be secure: the programs are run on a virtual machine, and they are not run unless they are approved by a "verifier" on the Web browser. In the initial implementation of Java for Web browsers, programs written in Java are permitted to access the network or to touch the user's filesystem, but not both. Programs that can touch the filesystem are permitted to read any file, but only to write in a specially predetermined directory.

Unfortunately, Java's current security model is rather restrictive, and it is therefore quite likely that users will demand a more open model that gives Java programs more access to a user's filesystems and the network. This will probably produce a new round of security problems.