Share

Silverlight, Microsoft's upcoming web media software, may be several months from its official release, but experts have already reached a consensus -- albeit a weak one -- about how secure it will prove to be.

That consensus favours Microsoft's argument that the software will not be easily exploitable by hackers. Microsoft says that Silverlight, a browser plug-in that works with Internet Explorer, Firefox and Safari, has key attributes that should prevent Silverlight from such exploits.

But they warn that current attack trends could reveal Silverlight's vulnerabilities, if any, sooner rather than later. Hackers are moving away from the operating system layer and towards attacking web-based applications. In addition, the long-standing tendency for attackers to target Microsoft products will test the software severely.

"It's very early days," said Bola Rotibi, an analyst with Ovum. "But the proof will be in the pudding."

Timing is everything

Silverlight, which is expected to ship sometime this summer, arriving at a time when web developers are coming under fire for the insecurity of the sites they build.

For instance, Rasmus Lerdorf, the well-known Yahoo developer, claimed last week that nine out of ten sites were hackable, a problem which leads him to always surf using two separate web browsers.

Most criticism has been directed at Asynchronous JavaScript and XML (AJAX), the popular rich media enabling technology, and its vulnerability to a form of attack called cross-site scripting (XSS).

But other consumer web applications, including Apple's QuickTime, Microsoft's Windows Media Player and Adobe Systems's Flash -- which Microsoft is hoping to supplant with Silverlight -- have also proven to be vulnerable.

The safety of the sandbox

Microsoft says Silverlight takes advantage of technologies in web browsers as well as Microsoft's .Net programming framework to make Silverlight as secure as possible. "We've locked it down," said Brian Goldfarb, lead product manager of the web platform and tools team at Microsoft.

For example, the Silverlight plug-in executes inside a web browser's virtual "sandbox". Goldfarb says this means that even if malware or a hacker is able to crack Silverlight, he or she should not be able to jump to other applications or servers -- provided the web browser's sandbox is fully secure.

"Sandboxing inside the browser is a common and well-understood concept and providing that there are no flaws in the browser technology, then it should be relatively secure," agreed Ovum's Rotibi.

Moreover, Silverlight is an extension of Microsoft's .Net technology, which Goldfarb claimed "has a proven track record of security".

That is due in part to the fact that .Net uses a technique called managed code, meaning that programs execute inside a virtual machine and never come into contact with a computer's "bare metal". That eliminates common hacking strategies, such as causing buffer overflows, Goldfarb said.

And because it is an extension of .Net, Silverlight should avoid some of the bugs common to first-generation products. "It's a new product, and it's not a new product," Goldfarb said.

Finally, while Silverlight does interact with JavaScript -- the component of AJAX that is known to be vulnerable to XSS attacks -- it itself should not be vulnerable to XSS attacks, says Goldfarb.

And the weak point is...

Jeffrey Hammond, an analyst with Forrester Research, accepts Microsoft's ascertains. The weak point, he says, are the developers creating applications running on Silverlight. Even if Microsoft, according to Goldfarb, has "put a lot of energy" to educate developers on how to avoid writing insecure code, it is still going to happen.

"Developers don't set out to create defects or vulnerabilities, but they happen to even the best of us," Hammond said. "In any event, I'm sure we'll see a quick shakeout period."

Chris Swenson, an analyst with NPD Group, argues that flaws in Silverlight and Flash at least get patched more quickly than flaws in AJAX, which lacks the backing of a single large vendor.

"Microsoft and Adobe will move fast to plug holes," he said. "Compared to AJAX, Silverlight has to be on the secure end of the scale."

When security holes were discovered in Flash last year, Microsoft actually put out patches for Flash at about the same time as Adobe did.

On the other hand, Jeremiah Grossman, chief technology executive of White Hat Security, places more faith in the ingenuity of black hat hackers than in Microsoft.

"All these security measures are all well and good," he said, "unfortunately, they're unlikely able to protect users against the newer attack techniques."