• PC World
• »Software
• »Multimedia

Silverlight, Microsoft Corp.'s upcoming Web media software, may be several months from its official release, but experts have already reached a consensus -- albeit a weak one -- about how secure it will prove to be.

That consensus favors Microsoft's argument that the software won't be easily exploitable by hackers. Microsoft says that Silverlight, a browser plug-in that works with Internet Explorer, Firefox and Safari, has key attributes that should prevent Silverlight from such exploits.

But they warn that current attack trends could reveal Silverlight's vulnerabilities, if any, sooner rather than later. Hackers are moving away from the operating system layer and towards attacking Web-based applications. In addition, the long-standing tendency for attackers to target Microsoft products will test the software severely.

"It's very early days," said Bola Rotibi, an analyst with Ovum Ltd. "But the proof will be in the pudding."

Timing is everything

Silverlight, which is expected to ship sometime this summer, arrives at a time when Web developers are coming under fire for the insecurity of the sites they build.

For instance, Rasmus Lerdorf, the well-known Yahoo developer, claimed last week that nine out of ten sites were hackable, a problem which leads him to always surf using two separate Web browsers.

Most criticism has been directed at Asynchronous JavaScript and XML (AJAX), the popular rich media enabling technology, and its vulnerability to a form of attack called cross-site scripting (XSS).

But other consumer Web applications, including Apple Inc.'s QuickTime, Microsoft's Windows Media Player and Adobe Systems Inc.'s Flash -- which Microsoft is hoping to supplant with Silverlight -- have also proven to be vulnerable.

The safety of the sandbox

Microsoft says Silverlight takes advantage of technologies in Web browsers as well as Microsoft's .Net programming framework to make Silverlight as secure as possible. "We've locked it down," said Brian Goldfarb, lead product manager of the Web platform and tools team at Microsoft.

For example, the Silverlight plug-in executes inside a Web browser's virtual "sandbox." Goldfarb says this means that even if malware or a hacker is able to crack Silverlight, he or she shouldn't be able to jump to other applications or servers -- provided the Web browser's sandbox is fully secure.

"Sandboxing inside the browser is a common and well-understood concept and providing that there are no flaws in the browser technology, then it should be relatively secure," agreed Ovum's Rotibi.

Moreover, Silverlight is an extension of Microsoft's .Net technology, which Goldfarb claimed "has a proven track record of security."

That's due in part to the fact that .Net uses a technique called managed code, meaning that programs execute inside a virtual machine and never come into contact with a computer's "bare metal." That eliminates common hacking strategies, such as causing buffer overflows, Goldfarb said.

And because it is an extension of .Net, Silverlight should avoid some of the bugs common to first-generation products. "It's a new product, and it's not a new product," Goldfarb said.

Finally, while Silverlight does interact with JavaScript -- the component of AJAX that is known to be vulnerable to XSS attacks -- it itself should not be vulnerable to XSS attacks, says Goldfarb.

And the weak point is...

Jeffrey Hammond, an analyst with Cambridge, Mass.-based Forrester Research Inc., largely buys Microsoft's assertations. The weak point, he says, are the developers creating applications running on Silverlight. Even if Microsoft, according to Goldfarb, has "put a lot of energy" to educate developers on how to avoid writing insecure code, it is still going to happen.

"Developers don't set out to create defects or vulnerabilities, but they happen to even the best of us," Hammond said. "In any event, I'm sure we'll see a quick shakeout period."

Chris Swenson, an analyst with NPD Group Inc., argues that flaws in Silverlight and Flash at least get patched more quickly than flaws in AJAX, which lacks the backing of a single large vendor.

"Microsoft and Adobe will move fast to plug holes," he said. "Compared to AJAX, Silverlight has to be on the secure end of the scale."

When security holes were discovered in Flash last year, Microsoft actually put out patches for Flash at about the same time as Adobe did.

On the other hand, Jeremiah Grossman, CTO of San Jose, Calif.-based White Hat Security Inc., places more faith in the ingenuity of black hat hackers than in Microsoft.

"All these security measures are all well and good," he said, "unfortunately, they're unlikely able to protect users against the newer attack techniques."