ActiveX - Conceptional Failture of Security
The story is short. Mrs. Ehles (full name unknown) from the financial feature "PlusMinus" of the TV station MDR asked us to "steal" money for this TV feature. Using the idea of utilizing ActiveX the solution was quickly available.

Chronology

27.12.1996
CCC'96 evening... "OK, we'll do it."

08.01.1997
Steffen read the docu from Microsoft and finished the first Applet after 4h. Unexpected problems occur due to a malfunction of "SendKeys" allowed to send keystrokes only to applications open at the screen. This prevents illegal use.

15.01.1997
The "Deutsche Bank AG" Gera/Leipzig acknowledgs test accounts.

17.01.1997
The headquater of the "Deutsche Bank AG" in Frankfurt/Main revokes those accounts. They generate a lot of chaos assuming a major break into the banking software of Microsoft.

18.01.1997 und 19.01.1997
MDR is filming.

20.01.1997
Microsoft Germany complains because the "Deutsche Bank AG" Frankfurt/Main told them, that MS Money was hacked. We: "No, it's ActiveX that remotly control Quicken." MS: "Ok, that's fine."

The iX magazine buys an article without any knowledge of the content.

27.01.1997
Press releases from /EMP, CCC, Heise, MDR, and dpa are published.

MDR Sputnik (radio) makes a live interview.

The Computerbild magazine buys screenshots.

28.01.1997
The TV feature. The MDR offers an abstract. From now E-Mails and S-Mails receives us. The CCC offers a telefon hotline.

29.01.1997
The newspaper "Tagesspiegel" prints an article.

"Der Spiegel" magazine phones for an interview. The iX articel is send to the magazine. After printing, the article is under GNU public license.

31.01.1997
Kristian Köhntopp send a warning to the NT Security Mainling List.

Press release from Newswire.

01.02.1997
Jürgen Scriba from "Der Spiegel" interviews us and take photos. A very competent guy.

The Microsoft ActiveX partern pages seems to be lost. We mirrored one.

03.02.1997
Press release from Brokat GmbH known to sell Java banking systems.

06.02.1997
PC Week publishes an article. We complain about Cornelius Willis' message.

07.02.1997
The "DOS International, das PC Magazin" orders a major article for the next issue. The "Basic Pro" orders an other one about 'developers must look ahead' focussing at "What might happen, if the customer does not longer accept ActiveX?"

Press release of the Daily Planet, C|NET, and Wired.

08.02.1997
The article in "Der Spiegel" is published.

BBN press release.

09.02.1997
A posting in comp.lang.java.advocacy quotes an article of John Gilles.

10.02.1997
Intuit's official responce

Radio interview at BR2 (Bavarian radiostation).

Interviewed by Tim Stammers from the UK 'Computing' magazine.

11.02.1997
DOS article finished, incl. an interview with Thomas Baumgärtner (Microsoft Germany) and Andy Müller-Maguhn (CCC).

Press release from the TBTF, and from NBC News.

12.02.1997
Microsoft Germany phones me. They do not contact the iX magazine for the source code. They expect, that the iX magazine contact Microsoft.

Press release ClariNet/Newsbytes News Network

13.02.1997
Focus Online interview with Thomas Baumgärtner (Mircosoft Germany). In the afternoon an Online Chat about "How dangerous is ActiveX and Java?" with managers from Microsoft Germany. My own logfile is htmlized.

Article in The New York Times, Ziff Davis' NEWSwatcher, and Computing magazine.

Symantec press release about a new Norton Anti-ActiveX Protection.

16.02.1997
Intuit Press Release Intuit Recommends Internet Users Take Common-Sense Precautions

Article in The Philadelphia Inquirer.

17.02.1997
A new applet mails the AUTOEXEC.BAT to the owner of this file and stores this spy attempt to the Eternity Logfile.

Article from C|Net about Intuit's Warning against ActiveX.

18.02.1997
Article the "New Scientist", story of the week.

Internal warning message of MSN.

19.02.1997
Large Education Program was started by Microsoft.

Article from C|Net and PC Week about Mircosoft's Education Program.

20.02.1997
The iX article is published including an interview with Wau Holland. The original may be reused freely under the terms of the GNU Public License.

Robert Seidel made the logo at the top of this page.

Reuter's article.

Article from C|Net about other security flaws in Microsoft products.

Microsoft turns the security risk to the user.

22.02.1997
Hint pointer to fun graphics.

23.02.1997
Cyberpunks start to link "ActiveX" logo.

A new radioactivex page (CCC).

24.02.1997
Press release by the Japanese "Weekly PC Watch".

Prerelease of a TechNet letter comparing ActiveX, Java, and Plug-Ins for Microsoft's developers.

26.02.1997
All demonstration controls drop a message to the Eternity Logfile.

28.02.1997
Intuit's press conference in Munich. Special guests: Ralph Macholz (Chief product marketing Microsoft Germany), Andy Müller-Maguhn (CCC), and myself.
  • A press paper clears, that Intuit was simply involved as a demonstration target.
  • Andy lectured nearly in the same way Ralph was prepared to speak about. This seems to offer Ralph the first impression what's going really wrong.
  • Ralph says, that the missing security (missing sandbox) is compensated by verification of authorship. He suggested to run the Internet Explorer in the sendbox of a guest account using Windows NT. Furthermore nobody should trust any company or CA in general.
  • During discussion Ralph offers a larger education program and his try to add an list of untrusted instances to the Explorer.
  • About certificats Ralph confirms, that nobody is able to install certificats without additional informations from Microsoft. He promises to help us to get this information.

03.03.1997
Article in "Business Online", and in Infoworld.

Short message "Pour tous ceux qui ont entendu parler des problèmes de sécurité d'ActiveX (après la petite "expérience" tentée par les allemands du CCC), allez voir cette page qui détaille par le menu l'affaire" in France Pratique.

An other bug of the Internet Explorer allows anybody to execute any program at the remote machine. This is a program bug and not related to ActiveX or other conceptional failture. See also this Presse release by AP.

10.03.1997
The article in "PC-Magazin DOS" is printed. (Original GPLed article)

13.03.1997
Invited as special guest to Deutsche Welle TV's "Heat" (English), and "100Grad" (German) in Coproduction with the regional TV station "ORB".

14.03.1997
"100Grad" is braodcasted by ORB and Deutsche Welle TV. "Heat" is braodcasted by Deutsche Welle TV.

15.03.1997
"Heat" and "100Grad" are broadcasted by Deutsche Welle TV.

17.03.1997
Robert Seidel made a new LARGE picture "Not powered by ActiveX".

18.03.1997
"100Grad" is braodcasted by ORB.

ActiveX day at Chaos Computer Club's place at CeBit fair.

10.04.1997
n-tv films at the "EDV Gerichtstag" Saarbrücken.

13.04.1997
n-tv special: Good feature about this topic.

08.05.1997
Steven Grey and his technical adviser from Sunday Times visited us to have an interview about the security issues of the activities of UK Banks. The Royal Bank of Scottland uses ActiveX to manage the banking access.

09.08.1997
Programm point at HIP'97.

Interview about this topic by the Swedish TV.

Screenshots

  1. The Clickbait
  2. The applet is coming up
  3. The results from the Quicken point of view

Demonstration applets

Some demonstration applets leaving a greeting message in the notpad or changing the security level of the MS Internet Explorer. New applets are added as working. A discussion of the sources of these applets will be published in "DOS International".
zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Tuesday | 24.Dec.2024