This invention relates in general to computer networks. In particular, the invention relates to secure ways of distributing software by server computers to client computers over a computer network.
The public data networks, collectively called the Internet and colloquially referred to as the Web, are becoming increasingly popular. Among other things, the Internet provides a communication medium to distribute software products to computers that are located at distant places. The numerous methods by which sellers of computer software programs deliver executable programs automatically to client computers owned or operated by users are described in the parent application, the disclosure of which is hereby incorporated by reference.
To understand the invention, it is helpful to understand the distinctions among the terms content, browser, type-setting program, embedded object and script. These five types of entities are described below in the context of Internet-related software.
Content is the subject matter contained in a web page. Content is distinguished from the other entities described herein in that content is not a program; it is the data that is presented to a user.
A web browser, or simply, a browser, is a computer program that provides access to the vast resources of the Internet. Typically, this is done by providing a xe2x80x9cwindowxe2x80x9d to the data located on other computers connected to the Internet. A frame is a part or section of a browser window that contains a distinct display area. If a web page is defined to contain multiple frames, each frame can act as an independent display area, and can download web pages located at different web sites, while displaying them together in one window on a browser. Alternatively, a web page may cause multiple browser windows to be created on the user""s computer. A browser can also be described as a xe2x80x9ccontainerxe2x80x9d of the various components it displays. Thus, while the components are embedded in a browser, the browser envelops the components.
In general, in a window-based computer system, such as the Windows(trademark) 98(trademark) program marketed by the Microsoft Corporation, windows are arranged hierarchically. A browser program that executes on a window-based computer system is also arranged hierarchically. When a browser application is launched on a windows-based computer system, the first window that appears is called xe2x80x9cparent windowxe2x80x9d or xe2x80x9cmain windowxe2x80x9d or xe2x80x9ctop-levelxe2x80x9d window. This top-level window can later xe2x80x9cspawnxe2x80x9d or xe2x80x9cforkxe2x80x9d other windows, which are called xe2x80x9csub-windowsxe2x80x9d that run other applications. A sub-window may be created by executing a script within a browser window, and may be programmed to run another instance of a browser program. In such cases, the sub-window is called an xe2x80x9copenerxe2x80x9d window. Thus, it may be the case that a first window running a browser programxe2x80x94a top-level windowxe2x80x94is programmed to point to a web site, and a sub-window created from the same browser program is programmed to point to a different web site.
A type-setting program is a presentation program, typically written in the Hyper Text Markup Language (HTML). In an HTML-encoded program, content is surrounded by codes that indicate the manner in which the browser presents the content to a user. Additionally, HTML encodes certain devices called xe2x80x9clinksxe2x80x9d that allow a user to xe2x80x9cnavigatexe2x80x9d the web by simply clicking on a sensitive area of the web page.
A document that contains xe2x80x9cobjectsxe2x80x9d or xe2x80x9ccomponentsxe2x80x9d like graphics, audio or video files, or charts in addition to text is called an embedded document object. Several competing standards exist in the marketplace for documents that can be transmitted over the Internet and displayed in a browser. For example, two such standards are OpenDoc, promoted by the International Business Machines Corporation and Object Linking and Embedding (OLE), promoted by the Microsoft Corporation. Typically, these standards provide for an application programming interface (API) that allows an independent software vendor (ISV) to develop applications that deliver components via the Internet. An API generally allows a programmer to interact with an enveloping browser. For example, a programmer may seek to determine the precise configuration of the browser by reading the values of its internal parameters. Alternatively, a programmer may wish to adapt the browser to a desired configuration by appropriately setting the browser""s parameters.
Finally, a script is a list of computer-executable instructions, typically written in a human-readable language. Some browsers are configured to execute instructions written in script languages. In such browsers, an analog of a Central Processor Unit (CPU)which is an essential component of all modern computers-is defined within the software contained in the browser. This software-defined CPU executes the scripts within the browser environment. For example, JavaScript(trademark) is a language in which a programmer can code in a human-readable set of instructions that can be executed within the browser environment. In this case, the browser is said to be a xe2x80x9ccontainerxe2x80x9d object to execute the script within its bounds.
Referring now to the parent application, to achieve the objective stated therein, a web browser program running on a client computer must be able to access the inner workings of the client computer. This can be achieved with the help of the OLE document object technology. The OLE technology is a xe2x80x9csystem-level object architecture that includes services for all-inclusive data access, remote distribution of software components across heterogeneous platforms, robust transaction processing, and large group development.xe2x80x9d and xe2x80x9cOLE is?xe2x80x9d, undated, (visited Dec. 12, 1998),  less than www.microsoft.com/oledev/olemkt/oleent/oleent.btm greater than . Active X(trademark) technology, developed by the Microsoft Corporation, of Redmond, Wash., uses the OLE architecture and provides the building blocks that enable a provider to distribute over a network software executables that can be executed on a client machine. In general, such distribution of software executables is done via a web browser as described in the parent application. Typically, this execution on a client machine is done when a page source is input to it by invoking certain scripts embedded in the web browser. The downloaded software components are called ActiveX(trademark) controls, which are computer executable pieces of program code. One feature of ActiveX(trademark) controls is hat they have no restrictions placed on them once they reach a user""s machine. For example, a programmer may write an ActiveX(trademark) control tat, upon downloading to a user""s computer, can shut down the computer or reformat its hard drive thereby destroying all data stored on the computer. This creates an easy way for malicious programs such as viruses to reach the client computer and be executed without the user""s notice.
To overcome these security problems, the Microsoft Corporation requires all ActiveX(trademark) controls to be verified by a signature initiative called Authenticode. This verification works in the following way. Each ActiveX(trademark) control is given a secure and encrypted digital signature by a trusted corporation. All browsers that allow download and execution of ActiveX controls are pre-programmed to verify the digital signature. Every time an ActiveX(trademark) control is about to be downloaded, the browser examines the digital signature associated with the control. If the signature is verified as authentic by the browser, it is downloaded without any problems. Otherwise, the browser issues a warning message to the user.
As explained in the parent application, the invention described therein uses some of the features of a programming methodology exemplified by ActiveX(trademark) to effect easy and xe2x80x9chands-freexe2x80x9d automatic downloading of software executables to a user""s computer without any action taken on the part of the user. While the invented method and system help achieve the stated ends, a security threat may be created because of the above-mentioned feature of the ActiveX-like technologies that allows unrestricted access by the embedded code to a user""s computer.
Because computers today are interconnected by networks such as the Internet, computer security has become a more important issue than before. Today, computers are more prone to attacks by viruses and Trojan Horses. A virus is a piece of computer code that replicates itself without a user""s intervention. Left unchecked, a virus may copy itself stealthily to other computers and corrupt the data stored in storage devices connected to the computers. For example, a virus may rewrite a section of a computer start-up program called the xe2x80x9cboot sectorxe2x80x9d. Every time a computer is started, the virus copies itself into the memory of the computer and waits. Suppose a user wishes to copy some data from the computer to a portable medium such as a floppy disk. The virus that has copied itself to the memory could be programmed to intercept the writing of the data to the disk and copy itself to the disk along with the data. In this manner, the virus has replicated itself to the floppy disk and is now ready to infect other computers where the floppy disk is used.
In contrast to a computer virus, a xe2x80x9cTrojan Horsexe2x80x9d is a malicious computer program thatxe2x80x94like the fabled instrument of war used by ancient Greeks to gain entry into Troyxe2x80x94causes a user to believe that it is a legitimate program and entices the user operating a computer to perform certain actions that lead to compromising the security of the data stored in the computer.
Referring back to the parent application, assume that in accordance with the invention described therein, an Internet Clinical Services Provider (ICSP) downloads a software program called QuickClean(trademark), designed to xe2x80x9ccleanupxe2x80x9d the user""s hard drive. In accordance with the above-mentioned ActiveX(trademark) Authenticode initiative, a license file is delivered to the user along with the QuickClean program. This software is designed with embedded methods or sub-routines that, when invoked properly using a script, rid the user computer of unwanted or unused software in an orderly manner. However, since these methods or sub-routines for removing unwanted or unused software are invoked by a script, a malicious user can also invoke the script in such a way as to remove desirable or valuable software, thereby causing severe damage to the user""s computer. Moreover, a malicious user may also attempt to secretly transfer the contents of a user""s computer by e-mailing these to his own computer. In the computer security lingo, such a malicious user or programmer is called a computer xe2x80x9chacker.xe2x80x9d The above-mentioned malicious act, called computer xe2x80x9chacking,xe2x80x9d can be accomplished in two ways.
In accordance with a first way of hacking, a hacker obtains a legitimate copy of QuickClean(trademark) and its associated license file from the ICSP. The hacker can then create his own web site and host both QuickClean(trademark) and the associated Authenticode license file on his web site and invite others to use the xe2x80x9cfreexe2x80x9d software. The hacker creates a web page on his web site that contains a malicious script that will use the methods or sub-routines in the QuickClean(trademark) program to erase a user""s hard disk. When a user, enticed by the xe2x80x9cfreexe2x80x9d software downloads the web page from the hacker""s web site, the hacker will download the QuickClean(trademark) program to the user""s computer and invoke the methods in the program to erase the user""s hard disk. Alternatively, suppose a user visits an authorized ICSP web site first and downloads the QuickClean(trademark) program along with the associated Authenticode license file. Later, the user visits the hacker""s web site. Since the QuickClean(trademark) program is already stored on the user""s computer, the hacker does not need to obtain a legitimate copy to wreak havoc on a user""s computer by providing a script to invoke the sub-routines embedded in the QuickClean(trademark) program.
In accordance with a second way of hacking, a hacker may entice an unsuspecting user to visit his web site. The hacker may program his web pages to invoke multiple frames or multiple browser windows. In one frame or browser window, the hacker can cause the user computer to download the QuickClean(trademark) program and the associated license file from the ICSP web site. In a second frame or browser window, the hacker can run his malicious script, thereby causing damage as described above.
There is a need, therefore, for a system and method to prevent a hacker from activating the methods or sub-routines embedded in a computer executable code downloaded to a user computer via the web.
The present invention is a method to verify a downloaded software object so that the software object is executed only if it is downloaded by an authorized entity. Accordingly, the invention comprises a software program that is downloaded to a client computer by a server computer and is programmed to execute on the client computer only if it is enabled to do so. In a preferred embodiment of the invention, a computer-executable program code first determines the URL to which a browser running on the client computer is pointed and enables the downloaded software program only if the URL to which the browser is pointed is an authorized URL.
In another aspect of the invention, the determination of the URL to which the browser is pointed is made by verifying the URL pertaining to the xe2x80x9ctop-levelxe2x80x9d window of the browser. In a yet another aspect, the determination is made by verifying the URL pertaining to the xe2x80x9copenerxe2x80x9d window of the browser.