Malware Triangle

Discussion in 'Computer Security' started by Richard S. Westmoreland, Nov 19, 2004.

  1. Isn't that the point he is trying to get across? I don't think he's talking
    about the philosophical nature of html as a syntax. I think he's refreing
    to the document itself and what it does when it is opened.

    Rick
     
    Richard S. Westmoreland, Dec 1, 2004
    1. Advertisements

  2. Richard S. Westmoreland

    Leythos Guest

    HTML documents don't do ANYTHING when opened, the processing engine in
    the application opening them does the rendering. Which means, if you
    were using a secure application that nothing bad could happen. It's not
    the fault of the HTML document, it's the rendering application.

    If you want to blame something, blame the scripting language which has
    it's code embedded in the HTML document - HTML is relatively safe, only
    the scripts that are embedded in it, which are not HTML, are unsafe.

    You can open the script by itself and get the effect, and without the
    HTML page too.
     
    Leythos, Dec 1, 2004
    1. Advertisements

  3. We're not trying to "blame" something, just classify the threat. Okay let
    me rephrase my last statement.

    I think he's refering to the document itself and what is the result when it
    is opened.

    People don't send you buggy rendering processing engines to inflict damage.
    The bad software is the exploitable, the html "file" is the exploit (html
    plus embedded junk), and the whole thing is the threat.

    You guys are now arguing just argue.

    Rick
     
    Richard S. Westmoreland, Dec 1, 2004
  4. Richard S. Westmoreland

    Leythos Guest

    But I disagree, the HTML is not the problem, neither is the script, it's
    the fact that the user is running a app that allows certain programming
    flaws to be exploited.

    If I were to render HTML pages with FireFox, the script, based on my
    settings in FireFox, would not even be a small threat, in fact, it's not
    a threat at all. If I were to render the HTML in IE, were it configured
    properly, it would also not be a threat.

    What you can say is that scripts embedded in HTML are a threat to some
    applications, but, since you can run a script without any HTML being
    present, HTML is not a threat - it's just the part that gets seen and
    therefor gets blamed.

    This is akin to saying that Needles are a threat in all forms - which is
    not true, it depends on the contents that are not part of the needle.

    If I load the malicious script on my web site, with no HTML, and pass
    you the URL, you will have just as much opportunity to see the malicious
    results as if I had embedded it in a HTML page.

    You scope of realization is too narrow in this idea.

    Oh, one other thing - I only argue to argue when I'm arguing with Family
    :)
     
    Leythos, Dec 1, 2004
  5. My perspective on this debate, is that some needles are threats. Those
    threatening needles are threats. Needles in general are a potential threat,
    but not an ative threat. But aren't we talking about the needles that *are*
    threats? Isn't that what this branched-off debate it about? I think it's
    the needles that killed the horse.

    I think it comes down to whether you have reactive mentality or proactive
    mentality. Some people will look at that html file and think "it's just
    data, it is harmless right now, so it is not threatening", and some people
    think "it's data, but how many different ways can this affect me given x and
    y scenario".

    Rick
     
    Richard S. Westmoreland, Dec 1, 2004
  6. Richard S. Westmoreland

    Roger Wilco Guest

    Just like "e-mail is a threat" - well, it is (or can be). But arguably it is the extension to e-mail (MIME) that is the threat
    because without it we would have only text (like the good old days) - but wait...MIME itself isn't bad, it is a container
    for the multipurpose extended content which can be HTML or attached content or script within HTML or whatever
    that is extracted from their containers and executed by the mail client's use of OS resources. To guard against such
    threats as e-mail you could set a policy to not allow any - but all you really needed to do is not allow the script to run.
    Same with HTML files in general - you wouldn't need to disallow HTML to stop the threat, only the scripting. It is
    best to look at what is actually the threat instead of labelling all HTML as dangerous.
     
    Roger Wilco, Dec 2, 2004
  7. Richard S. Westmoreland

    kurt wismer Guest

    yes, but he's said things like you can make programs with html, which
    is false...

    even an html document is not a program, it is a container that *may*
    house one or more programs (not unlike a word document, actually)...
     
    kurt wismer, Dec 2, 2004
  8. Richard S. Westmoreland

    Ant Guest

    Ok, the capable browser says "Ooh look, a script tag! That means I can
    run what's inside. Oh well, if you insist...", or words to that effect.
    I know.
    I know.
    It is different, in that the intention is for a browser to run that
    content. I don't expect that when I open an archive.
    The whole thing is effectively one script for a web browser to
    interpret and act upon as it sees fit.
    True, but they are not as widely used as the ones that do. Many people
    using popular browsers do not have them (or their operating system)
    configured safely.
    I'm not comfortable with calling email or html documents "programs",
    but was suggesting they should be treated as such because of the way
    they are mostly handled.
    Email specs don't say a lot of things. When companies such as MS seek
    to redefine email, enable processing of rich and executable content in
    their email clients, and encourage users to accept this paradigm, we
    have a problem when their software is so widely used.
    Perhaps they shouldn't (because of the way emails are often handled).
    However, the difference for me is that I expect and want to run
    active content in some trusted webpages, but I never do with emails.
    They are containers, but any executable content is in them for the
    purpose of being run. You might say that an exe file is a container
    of machine code and data. If I open it with a loader it will be run.
    If I open it with a debugger I can choose to run some of it, and
    display the data within (bitmaps, etc.). If I open it with dependency
    walker it won't be run. Granted, you will always expect an exe to be
    run when loaded by the OS, but you won't necessarily expect that for
    the scripts in an html document loaded by a browser.
     
    Ant, Dec 2, 2004
  9. Richard S. Westmoreland

    Ant Guest

    I'm not. I know that html is not a programming language; I said so in
    my original post.
    Yes. I'm referring to the whole document, what it contains, and what
    browsers are expected to do with it all when they open the document.

    I said that html should be considered a programming language. The
    reason being, that it allows you to create, in effect, a single script
    for a browser to process, parts of which may be executable. That
    statement is what sparked off this sub-thread. In retrospect, I
    probably should have chosen my words more carefully.
     
    Ant, Dec 2, 2004
  10. Richard S. Westmoreland

    Randall Bart Guest

    'Twas Wed, 1 Dec 2004 14:49:43 -0500 when all alt.privacy.spyware stood in
    I volunteer to help carry out the horse when y'all are through beating it.

    --
    RB |\ © Randall Bart
    aa |/
    nr |\ Please reply without spam I LOVE YOU 1-917-715-0831
    dt ||\ Do the Math: http://calculator.brainthru.com
    a |/ Our New Attorney General: http://alberto.brainthru.com
    l |\ DOT-HS-808-065 The Church Of The Unauthorized Truth:
    l |/ MS^7=6/28/107 http://yg.cotut.com mailto:
     
    Randall Bart, Dec 2, 2004
  11. Richard S. Westmoreland

    Gorf Nimda Guest

    virus,alt.privacy.spyware,alt.spam,alt.comp.virus
    Subject: Re: Malware Triangle

    "Bones, What is it?" he asked. "Ugh!" McCoy grunted and
    wrinkled his nose in disgust as he began scanning the revolting
    mess with his tricorder. "Jim, it WAS a horse, however it's
    been beaten to death. Whoever or whatever did this doesn't know
    when to quit." "Doctor," Spock began. "Your talent for
    understatement is unparelled. The creature most likely died
    after the first few blows, yet this animal has been literally
    beaten to a pulp. Analysis shows that this level of distruction
    could not have been done with less than 1248 blows from a common
    hammer assuming it was wielded by an average human."

    "Spock, Bones, Enough. The important thing is that there is at
    least one, probably several very dangerously insane people
    about. Set your phasers to heavy stun and keep alert."

    ~~~~~~~~~~~~~~~~~~~~~
    This message was posted via one or more anonymous remailing services.
    The original sender is unknown. Any address shown in the From header
    is unverified. You need a valid hashcash token to post to groups other
    than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
    for abuse and hashcash info.
     
    Gorf Nimda, Dec 2, 2004
  12. I think it's
    You can have the horse now, I'm through with it. :)

    Rick
     
    Richard S. Westmoreland, Dec 2, 2004
  13. Richard S. Westmoreland

    Gorf Nimda Guest

    virus,alt.privacy.spyware,alt.comp.virus
    Subject: Re: Malware Triangle

    It is however, a good idea to disallow HTML in emails and usenet
    to remove un-needed bloat and one helluva lot of spam



    ~~~~~~~~~~~~~~~~~~~~~
    This message was posted via one or more anonymous remailing services.
    The original sender is unknown. Any address shown in the From header
    is unverified. You need a valid hashcash token to post to groups other
    than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
    for abuse and hashcash info.
     
    Gorf Nimda, Dec 2, 2004
  14. Richard S. Westmoreland

    Gorf Nimda Guest

    virus,alt.privacy.spyware
    Subject: Re: Malware Triangle

    "Bones, What is it?" he asked. "Ugh!" McCoy grunted and
    wrinkled his nose in disgust as he began scanning the revolting
    mess with his tricorder. "Jim, it WAS a horse, however it's
    been beaten to death. Whoever or whatever did this doesn't know
    when to quit." "Doctor," Spock began. "Your talent for
    understatement is unparelled. The creature most likely died
    after the first few blows, yet this animal has been literally
    beaten to a pulp. Analysis shows that this level of distruction
    could not have been done with less than 1248 blows from a common
    hammer assuming it was wielded by an average human."

    "Spock, Bones, Enough. The important thing is that there is at
    least one, probably several very dangerously insane people
    about. Set your phasers to heavy stun and keep alert."

    ~~~~~~~~~~~~~~~~~~~~~
    This message was posted via one or more anonymous remailing services.
    The original sender is unknown. Any address shown in the From header
    is unverified. You need a valid hashcash token to post to groups other
    than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
    for abuse and hashcash info.
     
    Gorf Nimda, Dec 3, 2004
  15. Richard S. Westmoreland

    kurt wismer Guest

    Ant wrote:
    [snip]
    ok, lets compromise....

    i'll agree that visiting web pages often poses a risk of malicious code
    execution if you'll agree that it is not the html language but the
    value-added web browsing experience that browser developers have
    created that poses the real risks...
     
    kurt wismer, Dec 4, 2004
  16. Richard S. Westmoreland

    xmp Guest

    ah, shut up. you can tell the programmers from the non-programmers in
    this thread.

    Kurt is an idiot (as usual).

    michael
     
    xmp, Dec 4, 2004
  17. Richard S. Westmoreland

    xmp Guest

    and what about the GDI+ exploit? unless you consider the rendering of
    images to be a value-added web browsing experience.

    folks, Kurt is the resident alt.comp-anti-virus troll (and village
    idiot). just put him in the PLONK file and be done with it.

    michael
     
    xmp, Dec 4, 2004
  18. Richard S. Westmoreland

    Roger Wilco Guest

    Programmers are often ignorant of computer science, but most computer scientists do know what programs are and are not.
    From your statement I would class you as non-programmer but for the fact that I know many programmers that don't know
    how stuff works. The fact is that programming languages are designed to enable programming by the clueless. The state of
    being a programmer does not mean the person has a clue.
    For an idiot he sure knows what he is talking about. A W32 executable may need some translation to be made into an
    executable image, but it is a program file even though it is sort of like a container. Sending it as inline content in an HTML
    w\scripting email does not make the email a program any more than does archiving it in a zip file make the zip file a program.
     
    Roger Wilco, Dec 4, 2004
  19. Richard S. Westmoreland

    xmp Guest

    it's just a semantical game. persons jump on this thread as if it means
    something, but it's simply wasted bandwidth IMHO. there are multiple
    definitions for program (look it up for proof) and it's nothing more
    than a classic lumping / splitting taxonomical issue.

    michael
     
    xmp, Dec 4, 2004
  20. Richard S. Westmoreland

    Leythos Guest

    You don't have to participate in the thread if you don't want too. Since
    this is a very low bandwidth group, and the subject is on topic, you can
    choose to rise above all of us and ignore it :)
     
    Leythos, Dec 4, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.