Webware security

M any systems, including Java, ActiveX, JavaScript, and Web plug-ins, allow Web authors to attach an executable program to a Web page, so that anyone visiting the page automatically downloads and runs the program. These systems (collectively known as Webware) offer unique security challenges. This is not a new problem: people have always passed programs around. What is new is the scale and frequency of downloading, and the fact that it happens automatically without conscious human intervention. In one (admittedly unscientific) recent experiment, a person was found to have downloaded and run hundreds of Webware programs in a week. The same person ran only four applications from his own computer. Simply visiting a Web page may cause you to unknowingly download and run a program written by someone you don’t know or don’t trust. That program must be prevented from taking malicious actions such as modifying your files or monitoring your online activities, but it must be allowed to perform its benign and useful functions. Since it is not possible (even in theory) to tell the difference between malicious and benign activity in all cases, we must accept some risk in order to get the benefits of Webware. Despite the danger, Webware is popular because it meets a real need. People want to share documents, and they want those documents to be dynamic and interactive. They want to browse, to wander anywhere on the net and look at whatever they find.