ActiveX - Conceptional Failture of Security
The story is short. Mrs. Ehles (full name unknown) from the financial feature "PlusMinus" of the TV station MDR asked us to "steal" money for this TV feature. Using the idea of utilizing ActiveX the solution was quickly available.


CCC'96 evening... "OK, we'll do it."

Steffen read the docu from Microsoft and finished the first Applet after 4h. Unexpected problems occur due to a malfunction of "SendKeys" allowed to send keystrokes only to applications open at the screen. This prevents illegal use.

The "Deutsche Bank AG" Gera/Leipzig acknowledgs test accounts.

The headquater of the "Deutsche Bank AG" in Frankfurt/Main revokes those accounts. They generate a lot of chaos assuming a major break into the banking software of Microsoft.

18.01.1997 und 19.01.1997
MDR is filming.

Microsoft Germany complains because the "Deutsche Bank AG" Frankfurt/Main told them, that MS Money was hacked. We: "No, it's ActiveX that remotly control Quicken." MS: "Ok, that's fine."

The iX magazine buys an article without any knowledge of the content.

Press releases from /EMP, CCC, Heise, MDR, and dpa are published.

MDR Sputnik (radio) makes a live interview.

The Computerbild magazine buys screenshots.

The TV feature. The MDR offers an abstract. From now E-Mails and S-Mails receives us. The CCC offers a telefon hotline.

The newspaper "Tagesspiegel" prints an article.

"Der Spiegel" magazine phones for an interview. The iX articel is send to the magazine. After printing, the article is under GNU public license.

Kristian Köhntopp send a warning to the NT Security Mainling List.

Press release from Newswire.

Jürgen Scriba from "Der Spiegel" interviews us and take photos. A very competent guy.

The Microsoft ActiveX partern pages seems to be lost. We mirrored one.

Press release from Brokat GmbH known to sell Java banking systems.

PC Week publishes an article. We complain about Cornelius Willis' message.

The "DOS International, das PC Magazin" orders a major article for the next issue. The "Basic Pro" orders an other one about 'developers must look ahead' focussing at "What might happen, if the customer does not longer accept ActiveX?"

Press release of the Daily Planet, C|NET, and Wired.

The article in "Der Spiegel" is published.

BBN press release.

A posting in quotes an article of John Gilles.

Intuit's official responce

Radio interview at BR2 (Bavarian radiostation).

Interviewed by Tim Stammers from the UK 'Computing' magazine.

DOS article finished, incl. an interview with Thomas Baumgärtner (Microsoft Germany) and Andy Müller-Maguhn (CCC).

Press release from the TBTF, and from NBC News.

Microsoft Germany phones me. They do not contact the iX magazine for the source code. They expect, that the iX magazine contact Microsoft.

Press release ClariNet/Newsbytes News Network

Focus Online interview with Thomas Baumgärtner (Mircosoft Germany). In the afternoon an Online Chat about "How dangerous is ActiveX and Java?" with managers from Microsoft Germany. My own logfile is htmlized.

Article in The New York Times, Ziff Davis' NEWSwatcher, and Computing magazine.

Symantec press release about a new Norton Anti-ActiveX Protection.

Intuit Press Release Intuit Recommends Internet Users Take Common-Sense Precautions

Article in The Philadelphia Inquirer.

A new applet mails the AUTOEXEC.BAT to the owner of this file and stores this spy attempt to the Eternity Logfile.

Article from C|Net about Intuit's Warning against ActiveX.

Article the "New Scientist", story of the week.

Internal warning message of MSN.

Large Education Program was started by Microsoft.

Article from C|Net and PC Week about Mircosoft's Education Program.

The iX article is published including an interview with Wau Holland. The original may be reused freely under the terms of the GNU Public License.

Robert Seidel made the logo at the top of this page.

Reuter's article.

Article from C|Net about other security flaws in Microsoft products.

Microsoft turns the security risk to the user.

Hint pointer to fun graphics.

Cyberpunks start to link "ActiveX" logo.

A new radioactivex page (CCC).

Press release by the Japanese "Weekly PC Watch".

Prerelease of a TechNet letter comparing ActiveX, Java, and Plug-Ins for Microsoft's developers.

All demonstration controls drop a message to the Eternity Logfile.

Intuit's press conference in Munich. Special guests: Ralph Macholz (Chief product marketing Microsoft Germany), Andy Müller-Maguhn (CCC), and myself.
  • A press paper clears, that Intuit was simply involved as a demonstration target.
  • Andy lectured nearly in the same way Ralph was prepared to speak about. This seems to offer Ralph the first impression what's going really wrong.
  • Ralph says, that the missing security (missing sandbox) is compensated by verification of authorship. He suggested to run the Internet Explorer in the sendbox of a guest account using Windows NT. Furthermore nobody should trust any company or CA in general.
  • During discussion Ralph offers a larger education program and his try to add an list of untrusted instances to the Explorer.
  • About certificats Ralph confirms, that nobody is able to install certificats without additional informations from Microsoft. He promises to help us to get this information.

Article in "Business Online", and in Infoworld.

Short message "Pour tous ceux qui ont entendu parler des problèmes de sécurité d'ActiveX (après la petite "expérience" tentée par les allemands du CCC), allez voir cette page qui détaille par le menu l'affaire" in France Pratique.

An other bug of the Internet Explorer allows anybody to execute any program at the remote machine. This is a program bug and not related to ActiveX or other conceptional failture. See also this Presse release by AP.

The article in "PC-Magazin DOS" is printed. (Original GPLed article)

Invited as special guest to Deutsche Welle TV's "Heat" (English), and "100Grad" (German) in Coproduction with the regional TV station "ORB".

"100Grad" is braodcasted by ORB and Deutsche Welle TV. "Heat" is braodcasted by Deutsche Welle TV.

"Heat" and "100Grad" are broadcasted by Deutsche Welle TV.

Robert Seidel made a new LARGE picture "Not powered by ActiveX".

"100Grad" is braodcasted by ORB.

ActiveX day at Chaos Computer Club's place at CeBit fair.

n-tv films at the "EDV Gerichtstag" Saarbrücken.

n-tv special: Good feature about this topic.

Steven Grey and his technical adviser from Sunday Times visited us to have an interview about the security issues of the activities of UK Banks. The Royal Bank of Scottland uses ActiveX to manage the banking access.

Programm point at HIP'97.

Interview about this topic by the Swedish TV.


  1. The Clickbait
  2. The applet is coming up
  3. The results from the Quicken point of view

Demonstration applets

Some demonstration applets leaving a greeting message in the notpad or changing the security level of the MS Internet Explorer. New applets are added as working. A discussion of the sources of these applets will be published in "DOS International".
zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Tuesday | 18.Jun.2024