I've previously blogged about how I don't think, fundamentally, Web 2.0 represents a change in information security. It represents some new challenges, but the base goals are still the same -- Confidentiality, Integrity, Availability. I was able to attend a couple excellent internal conferences this week on Web 2.0, which has helped me further refine some of my thinking. One conclusion I've drawn over the past couple weeks is that the Web 2.0 "web as platform" principle is fairly significant, and is going to represent the new class of major self-propagating malware threats. And it gets worse.
My concerns can be summed up in one concept: Increased Attack Surface. What this means is that the number of attack opportunities are potentially increased and, worse, the value that can be gained through a variety of these attack vectors is also far more diverse. Thus far, I have the following breakdown for this vastly larger surface.
1) One Code Base, Any OS/Browser Platform
The first problem I see is that malware targeting one application can be successful against the app regardless of platform. And, since you're attacking the application itself, which is running within its own virtual machine environment, you can then pretty much take ownership of that environment. Now, if these apps were only running in the browser, this may not be such a big deal (aside from the plethora of browser vulnerabilities that could potentially be exploited as a "local" user), except that...
2) One Code Base, Both Browser and Desktop
Adobe, in particular, as well as Microsoft seem to be latching onto the concept of being able to run your cross-platform application both in the browser and on the desktop. The problem with running in a browser is that you're restricted to the DOM, you're restricted to the browser sandbox, and that means you can't access local files. One example mentioned in a presentation this week was that it would be great to have a media player that would work both in the browser and with local files on the desktop. Adobe's Apollo meets this objective of having 1 application that can run in the browser or as a traditional desktop application, and apparently cross-platform, too. Think of the malware opportunities here!
3) Multiple Programming Models, One Output Format
Flash and Flex are different programming models, but they both output to the same format (.swf files in this case). I also know that the open-source OpenLaszlo project will be supporting .swf format, too. This prevalence of development environments is great for legitimate developers, but it also means easy access for malevolent developers as well. How will you know the difference between good Flash and bad Flash? Does this mean we'll have to some day tell people not to click on Apollo/Flash applications, and definitely not to drag-n-drop them to the desktop, because it will be equivalent to installing malware, as has traditionally occurred through clicking on email attachments or bad links? The complexity is increasing dramatically...
4) Potential Reliance on Security Through Obscurity (byte code)
When asked about security in Flash, etc., part of the response was that "it's harder to exploit our code, because it's compiled into byte code." Yeah, well, hmmm. It seems to me that malicious developers have been disassembling binary files for a very long time. I find it unlikely that they'll have much difficulty with vanilla Flash. One would have to embed some sort of encryption key to make it more difficult, complete with code signing and dynamic checking.
Did you know that Flash has it's own cache for cookies? And that it maintains its own Privacy settings? It's true! Check out the Flash Player Settings Manager and explore the different options. If you weren't told this was in here, would you think about it? I'm guessing probably not.
5) Powerful Code Base, Complete with Binary Sockets!
So, I've been harping on malware quite a bit, because I think this will be the top threat. Of course, phishing should be grouped in here, too. But what really makes this threat so particularly disturbing is the revelation that Flash supports binary sockets. "What is this?" you say, "Binary sockets?" Yes, indeed, it seems that the good developers of Flash thought it would be nice if, for example, you could go to a Flash web site and then seek out live help. This live help could then take remote control of the application for you.
Of course, this means that all I have to do now is write an Apollo application that looks like a game, get you to drop it onto your desktop, then open a back door for me to get in, and I then have access to local file system, and viola! I can now examine your hard drive for personally identifiable information. I might be able to install other remote control software, such as a bot to add you to a fast-flux network. I might even be able to use the Flash application itself to be the fast -flux proxy. It's all very disconcerting.
---
So, these concerns are not, by any means, comprehensive. However, it raises a bunch of potential issues that need to be addressed, and quickly. The last thing we need to do is sprint off after the dream of Web 2.0, only to find out that we've taken a step back 10 years from a security perspective.
