Malware Triangle

[kurt wismer]

Ant wrote:
[snip]

While HTML is not a programming language, for the purpose of this
discussion it should be considered as such. It can contain scripts,
and interpreting it in a browser could have the same effect as running
a compiled executable file.

shame on you... if you can't make a program with it, it's not a
programming language... period...

an html document can act as a container, so can a zip file... that
doesn't make html a programming language anymore than it makes winzip a
compiler...

 

[kurt wismer]

A threat to your time/pocketbook; your bandwidth, your storage space,
difficultuly of regulation compliance - all a disruption to Availability.
If you work in a corporate environment that has to deal with this, it is a
costly annoyance.

that makes it a business threat... not a computer security threat...

Spam is malicious, and electronic, so I very well can
classify it as malware.

if it's not software (and it's not) then it's not malware...

The definition of malware is still a relatively new term in our language, I
don't have a problem with extending it's definition to meet the needs of
now.

well it's a good thing it's not up to you to decide if/when/how to
extend the meaning of technical jargon...

Malware is a compound of Malicious Software, and the definition of
Software is:

Computer instructions or data. Anything that can be stored electronically is
software.
http://www.webopedia.com/TERM/s/software.html

that is an absurd definition... remind me (as a software developer and
computer scientist) never to use webopedia, ever...

 

[Jack]

no it can't, you're thinking of scripts...

<OBJECT>
<EMBEDS>

 

[Richard S. Westmoreland]

Ant wrote:
[snip]

While HTML is not a programming language, for the purpose of this
discussion it should be considered as such. It can contain scripts,
and interpreting it in a browser could have the same effect as running
a compiled executable file.

shame on you... if you can't make a program with it, it's not a
programming language... period...

an html document can act as a container, so can a zip file... that
doesn't make html a programming language anymore than it makes winzip a
compiler...

Either way, it doesn't matter. Whether it's an exe, bat, html, jpg, doc,
etc., they are all software.

I think the proper definition of html is that it is a formatting language
that can contain other interpretable languages.

Rick

 

[Leythos]

I think the proper definition of html is that it is a formatting language
that can contain other interpretable languages.

If HTML is a programming language then so is RTF and ASCII. Just because
HTML pages can contain scripting and code, it's not the HTML side that
processes it, it's the browser that reads the "scripting" that processes
it.

HTML in itself is harmless, although I don't let network users send HTML
messages in email.

 

[Richard S. Westmoreland]

If HTML is a programming language then so is RTF and ASCII. Just because
HTML pages can contain scripting and code, it's not the HTML side that
processes it, it's the browser that reads the "scripting" that processes
it.

HTML in itself is harmless, although I don't let network users send HTML
messages in email.

I said it is a FORMATTING language.

Rick

 

[Jack]

well it's a good thing it's not up to you to decide if/when/how to
extend the meaning of technical jargon...
and:

that is an absurd definition... remind me (as a software developer
and computer scientist) never to use webopedia, ever...

Remind me (as a software engineer, punster and word-freak) never to rely
on your ability to interpret English.

If you haven't ever come across this usage, and reject it in favour of
your more narrow and rigid version, you will no doubt have difficulties
interpreting specifications and design documents, which in turn will
impair your work as a software developer and computer scientist.

Let's try Wikipedia:
"Computer software (or simply software) refers to one or more computer
programs and data held in the storage of a computer for some purpose.
Program software performs the function of the program it implements,
either by directly providing instructions to the computer hardware or
by serving as input to another piece of software. Data software
exists solely for its eventual use by other program software.

The term software was first used in this sense by John W. Tukey in
1957; colloquially, the term is often used to mean application
software. In computer science and software engineering, computer
software is all information processed by computer system, programs
and data.

Computer software is often contrasted with computer hardware, which
is the physical substrate on which software exists."

It seems that your interpretation of technical language is at odds with
that of other speakers of this language; try editing that page so that
it reflects *your* interpretation, and see how long your version lasts.

Of course, it's always possible that it is you that is marching in time,
and everyone else might be out of time.

 

[Roger Wilco]

Isn't the critical difference, if it is a difference, the fact that
classic programming languages get interpreted by your command
interpreter, whereas HTM languages get pre-interpreted by your browser?

HTML gets "rendered" by the rendering engine - it's like a souped-up RTF. It can have containers with actual scripting
language content though, and that is interpreted by the associated scripting host and run within the browser domain's
security set. Internet Explorer has had (and still has) enough cross domain scripting problems that I can see why peeps
think HTML is as powerful as C++.

 

[Roger Wilco]

Ant wrote:
[snip]

While HTML is not a programming language, for the purpose of this
discussion it should be considered as such. It can contain scripts,
and interpreting it in a browser could have the same effect as running
a compiled executable file.

shame on you... if you can't make a program with it, it's not a
programming language... period...

an html document can act as a container, so can a zip file... that
doesn't make html a programming language anymore than it makes winzip a
compiler...

Either way, it doesn't matter. Whether it's an exe, bat, html, jpg, doc,
etc., they are all software.

The last three in your list are (or can be) containers. It is like saying that your harddrive is software because you can dig
out executable content and execute it. The exe and bat also have to have their executable content in a form that requires
another level of translation to execute - but they are meant to have this last level transparent to the user. HTML is every
bit as dangerous as the software it contains and can be as transparent as exe.

 

[kurt wismer]

Ant wrote:
[snip]

While HTML is not a programming language, for the purpose of this
discussion it should be considered as such. It can contain scripts,
and interpreting it in a browser could have the same effect as running
a compiled executable file.

shame on you... if you can't make a program with it, it's not a
programming language... period...

an html document can act as a container, so can a zip file... that
doesn't make html a programming language anymore than it makes winzip a
compiler...

Either way, it doesn't matter. Whether it's an exe, bat, html, jpg, doc,
etc., they are all software.

no, they are not... html documents are not programs, therefore they are
not software...

I think the proper definition of html is that it is a formatting language
that can contain other interpretable languages.

exactly as i've been saying - html documents can act as *containers*...

 

[kurt wismer]

<OBJECT>
<EMBEDS>

those are tags related to making an html document a container for other
things, not downloading and/or executing code...

 

[kurt wismer]

Remind me (as a software engineer, punster and word-freak) never to rely
on your ability to interpret English.

If you haven't ever come across this usage,

i have... it's always been a reference to a (relatively) archaic usage...

and reject it in favour of
your more narrow and rigid version,

darn science and it's narrow rigidity...

you will no doubt have difficulties
interpreting specifications and design documents, which in turn will
impair your work as a software developer and computer scientist.

my current title is 'senior software development engineer'... i don't
seem to be having any problems with work-related impairment... as for
my computer science degree, the only impairment i suffered there was
starting in an entirely different field...

Let's try Wikipedia:

[snip wikipedia definition]

please refer to the numerous arguments about why wikipedia is not an
authoritative source and why it should not be relied on without
corroborating sources...

It seems that your interpretation of technical language is at odds with
that of other speakers of this language; try editing that page so that
it reflects *your* interpretation, and see how long your version lasts.

right, because truth has such a 'democratic' nature...

but for the sake of argument lets say that data qualifies a software -
can data qualify as malware? how can something that is entirely passive
be malicious? 'malicious software' fairly reasonably implies active
software (ie. of the *program* variety)...

 

[Jack]

right, because truth has such a 'democratic' nature...

Well, it's really language that is democratic. If you use words in the
manner of Humpty Dumpty, communication failures are guaranteed. Humpty
Dumpty was in error; the meaning of a word arises from consensus - it
means what most well-informed people think it means, at any particular
time, and not what Humpty Dumpty chooses for it to mean.

but for the sake of argument lets say that data qualifies a software
- can data qualify as malware? how can something that is entirely
passive be malicious? 'malicious software' fairly reasonably implies
active software (ie. of the *program* variety)...

Wrong. We were recently informed of a security alert involving malicious
images, that can cause a buffer-overflow in Internet Explorer. That is
an example of malicious data. And there is a trivial attack on IE that
involves the use of a HTML tag of the form

<FRAME name="AAAAAAAAAAAAAAAAAAAAAAAA">

to cause a buffer overflow. Neither of these examples can be malicious
from your perspective, so no doubt you won't be protecting the computers
for which you are responsible against either of them.

It's characteristic of general-purpose computers that what is stored in
main memory can be treated *either* as data *or* as code. Hence the
possibility of self-modifying code. And that's assuming that the code in
question is machine code; suppose instead that the 'code' is p-code, or
Java bytecode? Then you have code that can't be directly executed;
instead another program has to read and process the 'code', and perform
different operations depending on what sequences of values the 'code'
contains. Such intermediate 'code' is in fact data that is input to a
program.

So p-code and bytecode are now exposed as data, despite being the result
of running a compiler on program source-code. And even machine-code
contains data declarations, a stack area and so on; not all of a
machine-code program is actually machine-code.

When you run an assembler against an assembly-language program, the
assembler generates machine-code, which it treats as data (it doesn't,
for example, try to execute it). So even raw machine-code is sometimes
code, and sometimes data.

Most modern CPUs directly execute microcode; even the machine-code is
effectively data to be processed when viewed from the perspective of the
microcode engine.

 

[Leythos]

to cause a buffer overflow. Neither of these examples can be malicious
from your perspective, so no doubt you won't be protecting the computers
for which you are responsible against either of them.

I hate to break your bubble, but you can overflow an input stream with
an ASCII file if you don't code it (the program doing the reading)
properly. That doesn't make ASII a programming language.

 

[Jack]

I hate to break your bubble, but you can overflow an input stream
with an ASCII file if you don't code it (the program doing the
reading) properly. That doesn't make ASII a programming language.

Don't worry about my bubble, it's still intact!

My point was that even if you classify HTML as data, that doesn't make
it incapable of malice. The distinction between programs and data is
irrelevant to the determination as to whether a given object is or is
not malware.

 

[Leythos]

Don't worry about my bubble, it's still intact!

My point was that even if you classify HTML as data, that doesn't make
it incapable of malice. The distinction between programs and data is
irrelevant to the determination as to whether a given object is or is
not malware.

You've got to look at it like this - HTML is not a program and can NOT
execute any code on a person's computer. The Browser or other HTML
reader parses the ASCII TEXT in what ever format the browser determines
it needs too. This means that the HTML is not the problem, it's the
flaws in the Browser/other program that are a the risk.

If you were to use a Unix based HTML Browser/email reader, or if you use
FireFox, the HTML can not do anything other than render a page.

If you include extensions or embed scripting inside HTML, it's still not
the HTML that is the problem, it's a combination of the script code and
the flaws in the browser.

Unfortunately, MS saw fit to make many of their applications read files
based on the content of the file and not the extension - which means
that if I rename a exe to .gif, double click on it, if I have an
unpatched system, it will run the exe and not try and display a gif.

So, HTML is no more dangerous than ASCII, and ASCII is only as dangerous
as the application you open it with.

So, if you were to run your email/browser in a safe manner, HTML is
purely safe, but if you allow your email/browser to execute ANY code it
comes across, then the embedded scripting (which is not HTML) may cause
you problems.

 

[Jack]

You've got to look at it like this - HTML is not a program and can
NOT execute any code on a person's computer.

You may *ask* me to look at something in a particular way, but I don't
have to do it just because you tell me to. Perhaps you meant something
like "If you want to see things the way I see things, then you've got to..."

The Browser or other HTML reader parses the ASCII TEXT in what ever
format the browser determines it needs too. This means that the HTML
is not the problem, it's the flaws in the Browser/other program that
are a the risk.

That's true of any vulnerability.

If you were to use a Unix based HTML Browser/email reader, or if you
use FireFox, the HTML can not do anything other than render a page.

Any sufficiently complex piece of software has vulnerabilities; however
I grant that IE appears to have been written with reckless disregard for
security.

If you include extensions or embed scripting inside HTML, it's still
not the HTML that is the problem, it's a combination of the script
code and the flaws in the browser.

IE exposes vulnerabilities that can be exploited using pure HTML. And

Unfortunately, MS saw fit to make many of their applications read
files based on the content of the file and not the extension - which
means that if I rename a exe to .gif, double click on it, if I have
an unpatched system, it will run the exe and not try and display a
gif.

This is a defect in Microsoft Explorer; it has nothing to do with a
discussion of malware.

So, HTML is no more dangerous than ASCII, and ASCII is only as
dangerous as the application you open it with.

This is patently untrue. IE is exposed to HTML buffer overflow exploits,
such that with a suitably prepared heap, it is possible to run arbitrary
code on the victim's machine. Even without preparing the heap, it is
still possible to crash the browser.
http://www.us-cert.gov/cas/techalerts/TA04-315A.html

These exploits don't rely on script or embedded executables.

IE is also exposed to <IMG> exploits, that depend only on a crafted
image file (not just renamed).
http://www.kb.cert.org/vuls/id/685364

So, if you were to run your email/browser in a safe manner, HTML is
purely safe, but if you allow your email/browser to execute ANY code
it comes across, then the embedded scripting (which is not HTML) may
cause you problems.

This is bad advice.

HTML is generally interpreted by some rendering engine, rather than
simply being presented in a text viewer. A modern rendering engine is a
*much* more complex piece of software than a text viewer, and is *much*
more likely to expose vulnerabilities. The most popular rendering engine
in the world is the one in Internet Explorer, which is used to render
HTML email more often than any other engine. Internet Explorer is
constantly the subject of new vulnerability reports, some of which are
concerned only with HTML (such as the two reports I cited).

It is certainly safer to set your email client to *not* render HTML email.

 

[Leythos]

This is patently untrue. IE is exposed to HTML buffer overflow exploits,
such that with a suitably prepared heap, it is possible to run arbitrary
code on the victim's machine. Even without preparing the heap, it is
still possible to crash the browser.
http://www.us-cert.gov/cas/techalerts/TA04-315A.html

These exploits don't rely on script or embedded executables.

No, the exploits rely on flaws in the PROGRAM that's reading the source
file/object. If you were to pass the same HTML through a different
browser it would not produce the same result - this means that it's NOT
HTML that is at fault, but the Browser that's at fault.

You're not reading their post in the same light as a programmer/designer
would.

When it comes to security I don't have a problem with HTML directly, I
have a problem with applications that do not properly act on HTML
information where the application is compromised by poor coding of the
APPLICATION, not with HTML.

We agree that HTML email and sites can expose users to risks, but the
real exposure is not HTML, it's the exposure of using a flawed
application in the first place. Blame the program, not the text file it
reads.

 

[Bart Bailey]

HTML gets "rendered" by the rendering engine - it's like a souped-up RTF. It can have containers with actual scripting
language content though, and that is interpreted by the associated scripting host and run within the browser domain's
security set. Internet Explorer has had (and still has) enough cross domain scripting problems that I can see why peeps
think HTML is as powerful as C++.

You can point to a turd on the trail,
and some people will still step in it.
This vulnerability was discussed over four years ago:
http://xrl.us/d46w

 

[Jack]

No, the exploits rely on flaws in the PROGRAM that's reading the
source file/object. If you were to pass the same HTML through a
different browser it would not produce the same result - this means
that it's NOT HTML that is at fault, but the Browser that's at fault.

All exploits rely on defects, either in an OS, an application, or
sometimes a protocol. I didn't say that HTML was at fault; I said that
it wasn't safe, and that there were simple exploits that rely only on HTML.

You're not reading their post in the same light as a
programmer/designer would.

When it comes to security I don't have a problem with HTML directly,
I have a problem with applications that do not properly act on HTML
information where the application is compromised by poor coding of
the APPLICATION, not with HTML.

We agree that HTML email and sites can expose users to risks, but the
real exposure is not HTML, it's the exposure of using a flawed
application in the first place. Blame the program, not the text file
it reads.

I'm not "blaming" either HTML or the application that renders it; I'm
just asserting that HTML is not safe, and that a page of HTML (or an
HTML email message) can be malware.