Java and .NET security

By | October 27, 2004

SUN Microsystems Java and Microsoft´s .NET platforms are no more than programming languages that exploit network potential with the idea that the same software should function on different platforms. Both systems are centered around the principle of running software that doesn´t reside on the client machine to provide greater functionality or faster execution, saving connection time and improving public perception of the server to which the client connects.

Any kind of program code can carry malicious elements such as viruses, Trojans, etc. To avoid this certain strategies exist, which at first glance might seem to be useful. In the case of Java, instructions are executed in ´sandboxes´ to avoid outside interference with the system. For example, a Java applet can´t read, write, delete or rename client files, load libraries, create security managers nor specify any network control functions. In theory, given the limitations that are imposed on Java applets, any client computer should be safe when dealing with a Java service.

However, the Java platform is not quite as perfect as one might imagine. A hacker with some knowledge of programming or of Java file formats could easily enter, delete or modify content within Java applets and by-pass ´sandbox´ security. Each new browser version includes new and safer Java support, but it is still impossible to be 100% certain.

In response to the Java system, Microsoft developed a system for executing code on client machines. ActiveX, as the system is called, is similar to Java in terms of its objectives, albeit with less security. The control over what ActiveX can do depends not on a preset security system like the Java ´sandbox´ but on the acceptance or refusal of the downloaded control by the user. Yet leaving the security of server connections in the hands of the user is not an ideal situation either…

Microsoft´s next step was to develop the .NET platform. This system is based on pre-compiled code, which adapts to the system making the request when the connection is made and is run on the server. In this way the computers that connect to the server don´t need to download or run code. As opposed to Java or ActiveX, the code is run on the server, not the client. Although this is an improvement in terms of security, it can also produce problems, as was demonstrated by the appearance of the W32/Donut virus. This malicious code was nothing more than a laboratory guinea pig, but it drew attention to the fact that Microsoft “.NET” is susceptible to virus infection.

What this really shows is that it is impossible to guarantee the security of new platforms. With each new operating system, each new application, each new innovation there is always the chance that a new ´hole´ will appear to facilitate attacks on end users.

Software developers are conscious that possible security flaws are a fact, and they are more than aware that they are up against people whose only aim is to defeat security systems for the sake of destruction. For this reason, quality control departments at software companies must constantly put themselves in the shoes of the attackers.

The biggest problem lies not with the discovery of security holes or the creation of a new virus, but in the ability (or lack of it) of users to apply the patches produced by developers. Not all companies have IT departments constantly on the lookout for service packs. Even when a company has a systems department, there are often too many urgent jobs to leave time to deal with some of the most important security measures.

The problem exists, and it won´t go away by ignoring it. We are surrounded by companies dedicated to investigating system security and providing turnkey solutions. If your company can´t stop working, then your IT systems can´t either, especially not because of security problems. These matters should be left to security experts who can assess a companies weaknesses and its precise needs. If antivirus protection is left to professionals, who update protection daily without you having to lift a finger, why don´t you do the same with other IT security systems?

With these services on hand, a problem in critical platforms will be no more than a mere anecdote.

Leave a Reply