Each above described technology possesss security problems, being through them that the attacks practised through executable contents are possible. The main problems and its characteristics are explained to follow

3.1 Java Language

The Java language was constructed to try to guarantee, through the SandBox, that a hostile Applet does not provoke any alteration in the environment where he is being executed, therefore had been taxes a set of limitations and rules for its execution, thus being, if an Applet will be received through a net, either it an Intranet or the Internet, it is not qualified to execute a series of tasks, as example can be specified the following ones: to read archives of the machine customer; to record archives in the machine customer; to erase archives in the machine customer using the method of the Java Language File.delete(); to erase archives in the machine customer calling commands the operational system, such as he removes or delete; etc.

Problems in the implementation of the language and situations foreseen in the elaboration of the procedures of security of the Java language had not allowed that Java Applet could violate the rules imposed for the SandBox. Some attacks using Java Applet had been notified 96 [ MCG ], 96.05 [ CA ], 97 [ BIL ], 97 [ LAD ], [ LAD 96a ], [ LAD 96b ], 96 [ PRI ], 96 [ DEA ], 96 [ ROJ ], making with that the manufacturers of the Java language and the manufacturers of the products for it supported diponibilizassem new versions in which the known vulnerabilities would be cured. To remain always the safe one of the problems of security already known and told, it is convenient that the Java tool that is being used, either it a Browser or a Platform of development, always is brought up to date by the versions most recent disponibilizadas by the manufacturers. However nobody is free of future possibilities of attacks that had still not been discovered.

3.2 Javascript

Many of the problems of security created from the language Javascript cannot directly be explored, that is, they need the interaction with the user. As the majority of the users they do not know of the implicit perigos in this type of technology, the attacks if they become easy to be executed, therefore the users offer to all the possible aid. For example, many attacks require that the users press buttons that appear in boxes of dialogues so that the hostile code is activated. A common trick is to construct a box of dialogues so that the user pressures a button, being that the message shown in the screen is simplest possible, as " Click OK to continue ". In the box of I dialogue only exists a called button " OK ". Using ingenuouses press the button activating the attack. As examples of attacks it can be cited:
Javascript can be used to track all the " sites " visited by an user without its knowledge, reporting the information for atacante[RUB 97 ];
The user can ingenuamente send archives saw e-mail for the aggressor pressing a confirmation button that appears in the screen of 97 Browser WWW[RUB ];
JavaScript can be used to mount attacks in systems that block the entrance of Java Applet. For example: much Firewalls any existing code between the markers (Tags) prevents the entrance of Java Applet removing and of a document HTML However, JavaScript can be used to recriar a marker in the code source of page HTML that is being received. Another way to carry through the same attack would be to develop a page HTML with the following marker (Tag) , being used the JavaScript code to soon modify the marker for after the act of receiving of p3agina[RUB 97 ].

3.3 ActiveX

The executable contents developed by the ActiveX platform when received and accepted to be executed for a Browser WWW it has access to any resource of the machine. In the definition of use of this technology he is described that executable contents ActiveX alone would have to be accepted if the person who disponibilizou it in the Internet was certified, thus guaranteeing its origin. This does not occur in the practical one, therefore the majority of the users of Browsers WWW qualifies the act of receiving of any contents, certifyd or not. To certify the ActiveX contents does not decide the security problem therefore any programmer obtains approximately to buy a certification (authenticode) for 97 U$ 20.00[BRU ]. " If a badly intentioned programmer to buy a certification and to develop an only ActiveX control that dumb the configuration of the Browsers WWW Internet Explorer so that any another ActiveX control is accepted, a time that this Browsers was configured to only receive ActiveX controls certifyd, never will be evident of where came the program that desconfigurou the Browsers WWW. From this moment the users of this Browsers are vulnerable to the other ActiveX control hostile of Internet"[GAR 96 ]. An example of attack using ActiveX was notified by 97 [ BUR ].

3.4 ShockWave

As the anima1c6oes ShockWave they are executable contents that are received by the Browsers WWW to be executed, some attacks already had been notified using this technology, as they below show the related examples.