As part of our security research activities here at Juniper, I watch over a distributed honeynet (a network of multiple honeypots).  Our honeynet consists of multiple victim PCs around the world running a variety of new and old operating systems, none of which have been patched once since the day they were released.  Additionally, we have a web spider that crawls websites looking for any malicious content that might be trying to infect web clients.

As the spider crawls websites, it keeps some basic statistics, such as which HTML tags are the most prevalent, or which ActiveX controls are used most frequently.  It is this last statistic that brings us to today’s blog post.

The first surprising fact our spider has uncovered is how popular Adobe Flash is as an ActiveX control.  It’s not too surprising that Flash is the most popular control on the internet today, but the degree to which is takes the prize is impressive.  Over 98% of all ActiveX controls in use today are Flash:

What is even more surprising is that the #6 most popular ActiveX control on the internet is… mis-typed or otherwise broken Flash controls.  The sheer variety of mistakes is impressive as well.  In just a few weeks our spider found over 300 different mistakes made across 2400 different websites.

The most common error seen was leaving out a ‘:’ between “clsid” and the Flash CLSID (clsid27cdb6e-ae6d-11cf-96b8-444553540000).  The 2^nd most common was adding a superfluous ‘-‘ between the two (clsid:-d27cdb6e-ae6d-11cf-96b8-444553540000).   All told, nearly half of all ActiveX CLSIDs we saw on the Internet were failed attempts at invoking Flash.

What does this have to do with security?  This example shows how something relatively simple (putting a flash movie in your web page) can end up being really complicated, especially if you’re the software or device responsible for making sense of all those mistakes.  The “Robustness Principle” states that when writing software you should be “conservative in what you send” and be “liberal in what you accept.”  In this case, the principle would suggest that the more of those mistakes your web browser silently compensates for, the better.  And while all the web developers out there should be “conservative” in their coding practices and stick only to the most correct of syntax, it’s not too surprising they quit the moment their page looks right, regardless of how well-formed it may or may not be.

Web browsers are probably the most “liberal” software we run in terms of what horribly malformed data they will nevertheless render.  This makes web browsers particularly hard to protect from attack.  HTML is a complex enough standard when it is used properly; it becomes unreasonably complex once broken syntax is supported.  A large number of browser vulnerabilities have been caused by invalid DOM manipulation (such as inserting data into a table cell after the table has been deleted).  I imagine that a lot of these vulnerabilities wouldn’t have existed in the first place if the browsers insisted on receiving proper HTML instead of making do with whatever nonsense was handed to them.