S 5.69 Protection against active content

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer

When webpages are displayed in the browser, in many cases not only text, images, and multimedia content are loaded, but program code (active content) is executed at the same time, possibly by means of suitable plug-ins. Well-known examples of active content are JavaScript, Java applets, ActiveX elements, Flash etc. If active content is executed in the browser, this may lead to security problems, for example, if this results in malware being loaded on the computer or if attackers attempt to access data without authorisation using active content. The common browsers include security mechanisms restricting the possible access for active content. However, weaknesses and possibilities for undermining these security mechanisms are frequently published.

There are several approaches available to protect an internal network against misuse from the Internet using active content. These are presented in the following.

Filtering active content on the firewall

This is the most secure (and therefore recommended) method for accessing the Internet since the firewall can still be used as the primary access control. In order to prevent the acceptance of active content, it is necessary to have a proxy on the application level gateway (ALG) to examine HTML pages for active content. If the proxy finds any such content, it must be filtered out of the page. There are a number of ALGs which offer this function (see S 2.75 Selection of a suitable application gateway).

However, it must be assumed that this solution, although it is the safest, will become less and less acceptable in the future because the number of websites which cannot be used appropriately once the active content has been filtered out is on the increase.

Note: Active content can also be hidden in e-mails, and e-mails should also be checked for active content for this reason.

Moreover, when using this approach, it should be noted that active content must also be filtered out from TLS/SSL-encoded data streams. TLS/SSL-encoded data streams must therefore be terminated at the perimeter of the network, for example, on the ALG. This function is now also offered by a number of firewall products.

Disabling the execution of active content in the browser

If the workstation computers are managed centrally, then consideration should be given to restricting the rights of each user to the extent that users are not able to change the security settings of their web browsers any more. The browsers could then be configured so that active content is not executed. It is thus also possible to dispense with the filtering of active content on the application level gateway.

Checking active content for malicious code

analogous to classic virus protection programs, protection software is available which scans active content for malicious code. If the software detects a risk, it denies access to the suspicious code. The protection software for checking for malicious code can be used on the client side or at the perimeter of the network.

However, it must be taken into account that this approach does not offer absolute protection, as it may happen that the protection software fails to recognize a malicious webpage or a malicious element. Owing to the principles involved, the recognition rate is less than 100%. As with classic virus protection programs, regular updates of the protection software and its databases are important.

Executing active content in a separate environment

There are several technical possibilities to move the execution of active content to a separate, isolated environment in order to reduce the risk.

• Terminal server: The browser is moved by the client to a terminal server provided for this purpose which is located in a separate network segment. The client uses a terminal server protocol (VNC, RDP, ICA, X11 etc.) to access the terminal server. In this manner, the browser is remote controlled. The possible communication between the terminal server and the local network is reduced to a minimum by corresponding network-related safeguards.

• Virtual IT systems: The browser is moved to a separate virtual IT system which can be used from the client. The possible communication between the virtual IT system and the client as well as the local network is reduced to a minimum by configuration-related safeguards. It is also possible to implement this solution completely on the client.
• Operating system mechanisms: Some operating systems, possibly with additional components, offer advanced options for isolating different processes from each other. Examples of such components are SELinux and AppArmor. These mechanisms can also be used for execution of active content in a separate environment.

Selective execution of active content

The execution of active content can be restricted to specific websites or the users can be permitted to enable or disable the execution of active content themselves. There are also plug-ins which make enabling and disabling of active content more convenient for the users. However, in many cases this approach is not suitable for practical use.

Some types of active content, for example, ActiveX elements can be provided with a digital signature by the publisher. A verified and valid signature can provide information on the origin of an element. However, it is not possible to make a reliable statement as to whether an element contains malicious code based on the signature.

Recommendations

• The execution of active content should only be permitted if this is necessary for the relevant specialised task.
• Plug-ins used for the for execution of active content should only be installed if this is necessary for the relevant specialised task.
• Before active content is executed, it should be checked for malicious code (centrally or locally) using up-to-date protection software.
• Active content in the form of ActiveX should only be executed, if at all, if it comes from a trustworthy source, i.e. if it has been signed, the signature has been verified, and the signatory is trustworthy.

Taking the risk situation and the technical requirements into consideration, a decision must be made on how to handle active content. It is recommended to document this decision.

Review questions:

• If active content is filtered centrally: Are no SSL-based WWW accesses permitted?
• Does a coordinated procedure for protection against active content exist?