|ActiveX - Conceptional Failture of Security
The story is short. Mrs. Ehles (full name unknown) from the financial
feature "PlusMinus" of the TV station MDR
asked us to "steal" money for this TV feature. Using the idea of utilizing
ActiveX the solution was quickly available.
- CCC'96 evening...
"OK, we'll do it."
read the docu from Microsoft and finished the first Applet
after 4h. Unexpected problems occur due to a malfunction
SendKeys" allowed to send keystrokes only
to applications open at the screen. This prevents illegal
- The "Deutsche Bank AG" Gera/Leipzig acknowledgs test accounts.
- The headquater of the "Deutsche Bank AG" in Frankfurt/Main
revokes those accounts. They generate a lot of chaos
assuming a major break into the banking software of
- 18.01.1997 und 19.01.1997
- MDR is filming.
- Microsoft Germany complains because the "Deutsche Bank AG"
Frankfurt/Main told them, that MS Money was hacked.
We: "No, it's ActiveX that remotly control Quicken."
MS: "Ok, that's fine."
The iX magazine buys an article without any knowledge of
- Press releases from /EMP,
dpa are published.
MDR Sputnik (radio) makes a live interview.
The Computerbild magazine buys screenshots.
- The TV feature. The MDR offers an
From now E-Mails and S-Mails receives us.
The CCC offers a telefon hotline.
- The newspaper "Tagesspiegel" prints an
"Der Spiegel" magazine phones for an interview.
The iX articel is send to the
magazine. After printing, the article is under GNU public
- Kristian Köhntopp
send a warning to the
NT Security Mainling List.
Press release from Newswire.
- Jürgen Scriba from "Der Spiegel" interviews us and
take photos. A very competent guy.
The Microsoft ActiveX partern pages seems to be lost.
We mirrored one.
- Press release from
Brokat GmbH known to sell Java banking systems.
- PC Week publishes an
article. We complain about Cornelius Willis' message.
- The "DOS International, das PC Magazin" orders a
major article for the next issue. The "Basic Pro" orders
an other one about 'developers must look ahead'
focussing at "What might happen, if the customer does
not longer accept ActiveX?"
Press release of the Daily
Planet, C|NET, and
- The article in "Der
Spiegel" is published.
BBN press release.
- A posting
in comp.lang.java.advocacy quotes an article of John
- Intuit's official responce
Radio interview at BR2 (Bavarian radiostation).
Interviewed by Tim Stammers from the UK 'Computing'
- DOS article finished, incl. an interview with Thomas
Baumgärtner (Microsoft Germany) and Andy Müller-Maguhn
Press release from the TBTF,
and from NBC News.
- Microsoft Germany phones me. They do not contact the
iX magazine for the source code. They expect, that the
iX magazine contact Microsoft.
Press release ClariNet/Newsbytes News Network
- Focus Online
interview with Thomas Baumgärtner (Mircosoft Germany).
In the afternoon an Online
Chat about "How dangerous is ActiveX and Java?"
with managers from Microsoft Germany. My own
Article in The New York
Davis' NEWSwatcher, and
Symantec press release
about a new Norton Anti-ActiveX Protection.
- Intuit Press Release
Intuit Recommends Internet Users Take Common-Sense
Article in The Philadelphia Inquirer.
- A new applet mails the AUTOEXEC.BAT to the owner of this
file and stores this spy attempt to the
from C|Net about Intuit's Warning against ActiveX.
the "New Scientist", story of the week.
Internal warning message
- Large Education Program
was started by Microsoft.
from C|Net and PC Week
about Mircosoft's Education Program.
- The iX article is published
with Wau Holland.
The original may be reused freely
under the terms of the GNU Public License.
Robert Seidel made the logo at the top of this page.
from C|Net about other security flaws in Microsoft products.
Microsoft turns the
security risk to the user.
- Hint pointer to fun graphics.
- Cyberpunks start to
link "ActiveX" logo.
A new radioactivex
release by the Japanese "Weekly PC Watch".
Prerelease of a TechNet
letter comparing ActiveX, Java, and Plug-Ins for
- All demonstration controls drop a message to the
- Intuit's press conference in Munich. Special guests:
Ralph Macholz (Chief product marketing Microsoft Germany),
Andy Müller-Maguhn (CCC),
- A press paper clears, that Intuit was simply involved
as a demonstration target.
- Andy lectured nearly in the same way Ralph was
prepared to speak about. This seems to offer Ralph
the first impression what's going really wrong.
- Ralph says, that the missing security (missing sandbox)
is compensated by verification of authorship.
He suggested to run the Internet Explorer in
the sendbox of a guest account using Windows NT.
Furthermore nobody should trust any company or CA
- During discussion Ralph offers a larger education
program and his try to add an list of untrusted
instances to the Explorer.
- About certificats Ralph confirms, that nobody is able
to install certificats without additional
informations from Microsoft. He promises to help us
to get this information.
- Article in "Business
Online", and in Infoworld.
Short message "Pour tous ceux qui ont entendu parler des
problèmes de sécurité d'ActiveX (après la petite
"expérience" tentée par les allemands du CCC), allez voir
cette page qui détaille par le menu l'affaire" in France
An other bug
of the Internet Explorer allows anybody to execute any
program at the remote machine. This is a program bug and
not related to ActiveX or other conceptional failture. See
also this Presse release by AP.
- The article
in "PC-Magazin DOS" is printed.
(Original GPLed article)
- Invited as special guest to Deutsche Welle TV's "Heat"
(English), and "100Grad" (German) in Coproduction with the
regional TV station "ORB".
- "100Grad" is braodcasted by ORB and Deutsche Welle TV.
"Heat" is braodcasted by Deutsche Welle TV.
- "Heat" and "100Grad" are broadcasted by Deutsche Welle TV.
- Robert Seidel made a
LARGE picture "Not powered by ActiveX".
- "100Grad" is braodcasted by ORB.
ActiveX day at Chaos Computer Club's place at CeBit fair.
- n-tv films at the "EDV Gerichtstag" Saarbrücken.
special: Good feature about this topic.
- Steven Grey
and his technical adviser from Sunday Times
visited us to have an interview about the security issues
of the activities of UK Banks. The
Royal Bank of Scottland
uses ActiveX to manage the banking access.
- Programm point at HIP'97.
Interview about this topic by the Swedish TV.
- The Clickbait
- The applet is coming up
- The results from the Quicken point of view
Some demonstration applets
leaving a greeting message in the notpad or changing the security level of
the MS Internet Explorer. New applets are added as working. A discussion of
the sources of these applets will be published in "DOS International".