Web Users Beware
Pulling certain files off the World-Wide Web could yield some unpleasant surprises if you don't take the proper precautions.
by Joel Snyder
Browsing through the Web inspires a certain sense of wonder. On the screen are some magic links. Click on a link, and you are transported instantaneously to some new place in the world of the Web. Some links are insubstantial wisps, jumping a few paragraphs ahead or behind. IMG hspace = 10 vspace = 2 ALIGN=left SRC="fishing.gif" alt="fishing graphic">Others have the impact of a feral golf ball, dumping you 1,000 miles from home in network never-never land. When you follow that link, you really don't know where you're going or what danger you may be courting.br>
The core of the Web is a protocol called HTTP (Hypertext Transfer Protocol), which is used to ship documents between Web servers and Web clients--browsers such as Mosaic or Netscape Navigator. A common misconception is that these documents are written in HTML (Hypertext Markup Language). But that's not true. The documents are coded using a standard called MIME, or Multimedia Internet Mail Extensions. Some MIME documents, but not all, are in HTML.
It's like a birthday present. The outside gift wrap is HTTP, and with the wrapper on, you don't know anything about what's inside. The box is MIME, and inside the box can be anything. Well, not exactly. Most boxes indicate what's inside them. If it says "pasta maker" and has a picture of a plastic and steel contraption, you have a pretty good idea what's inside the box.
MIME tells the browser what kind of document it's getting. You're already familiar with the most popular types: HTML documents, GIF or JPEG images, and so on. There are many types in common use. The version of Netscape Navigator on my Mac knows about 25 different ones. (To see how many your browser knows about, look in the Preferences or Settings menus for something called "helper applications" or "document types.")
Where am I going with this? Bear with me. You need some background to understand any problems that could occur. Navigator, like most other browsers, will use the MIME information to tell it how to interpret a document. Some document types are interpreted by the browser itself: HTML certainly, and probably some image formats as well. For other documents, the browser usually launches what are called "helper" applications, which can interpret file formats that the browser cannot.
Beauty and the Beast
It's a beautiful way to extend the Web. If you have a special document format, you just teach the browser what application to launch, and you've added new capabilities without having to write lots of code. Most of the time, this is harmless. Consider sound files. Most browsers don't interpret them directly, rather they call a helper application to play audio clips. There's no danger there.
But what about applications like Microsoft Excel? It's not just a spreadsheet, but has a complete programming language built into it. This means that a Microsoft Excel spreadsheet may be more than a bunch of numbers. It may have a program built into it, which can be dangerous. Programs are not just read-only documents; they are active agents, capable of changing the environment: reading, writing, creating, and even deleting files. Click on a link, and you could be downloading a program that will automatically run on your machine. The program could do something useful or it could format your hard disk and insert a boot-sector virus.
Excel is just one example. Most high-end word processors and spreadsheets now include a scripting or programming language. PostScript has file operators, and a PostScript document could corrupt every file on your disk while it was drawing pretty pictures on your screen.
Don't be too alarmed. You're probably not in immediate danger. For one thing, your browser probably is not configured to jump off and run Excel any time a server sends it a spreadsheet. And you probably don't have a PostScript document viewer available.
On the other hand, maybe your browser does know about Excel, and perhaps you do have a PostScript viewer. When was the last time you reviewed your browser's set of helper applications? Are you sure your browser couldn't launch an application at the command of a server?
There's another reason the likelihood of damage is low: People are not likely to put nastygrams on Web pages that easily can be traced back to them. But if you're like me, you probably find that you're often sidetracked off the main streets of the Web into the dark alleys of personal Web pages. Is the person offering that page really who you think he is? Or could it be some mischievous hacker setting an ugly trap?
This problem is going to get worse, not better. As the browsers become smarter, browser authors are going to preconfigure them for more helper applications, which are themselves getting more powerful and flexible. Imagine a program that scans your hard disk for your Quicken data files, pulls out your credit card and bank account numbers (and your current balances), and sends them off to a rogue somewhere--all without you noticing. Macs aren't alone here: It's easy to come up with scenarios for Windows, Unix, and OpenVMS systems that are just as dangerous. Companies with elaborately constructed firewalls could be only a few unsuspecting clicks away from Information Armageddon.
What can you do? The first thing is education. Spend some time and understand how your browser is configured and what programs it may decide to launch on its own. Any program that is more than a completely passive viewer could be a problem. If you find something suspect, disable it in the browser. This may make downloading some kinds of data a little more inconvenient, but it's a trade-off well worth the inconvenience.
Be especially careful if you obtained a browser from an Internet service provider. The firm may not be as attuned to the security risks as the original browser authors and may have adjusted the configuration on your behalf before giving it to you.
If your company uses a customized Web browser for internal applications, be careful when using the same browser to access the outer Internet. Customization that is appropriate on a corporate LAN may open up major holes when used to read the Web pages of the great unwashed. When in doubt, check with your network manager to make sure there are no security holes that could be exploited by an outsider.
Don't be afraid to launch your Web browser, but you should understand that if used carelessly, your browser could be a big bad hole right into the heart of your computer. Don't get burned.
Joel Snyder is a senior partner at Opus One in Tuscon, Ariz.