Chaos Computer Club 28.01.1997

Glasfiber all the way into your wallet

Tonight the ARD-Magazin [a german TV-News-Show] will have a report on a weakness in the "Microsoft Internet Explorer", which is based on the multimedia technology "Active-X" that is promoted by Microsoft with their internet browser.

In concrete, this browser with "Active-X" allows a remote controlling of the own computer w/o revealing this to the user. Active-X means that the unaware user downloads programs which can then be activated on his computer.

Hackers out of the realm of the Chaos Computer Club demonstrate in an example in the TV-show a "account-robbery". This becomes possible by the combination of MS Internet Explorer, Active-X and homebanking software [such as Quicken]. While the user believes to just view a harmless WEB-page, a instruction-set is added to his homebanking software. When next connected to his bank, the user is prompted for an accession-code, without it being revealed, what that transaction is going to be used for.

Already several weeks ago, during the Chaos Communication Congress, the possible dangers of Active-X were discussed. Whithin several days after the release of Active-X by Microsoft WEB-pages were online that caused a remote-induced system-crash when Active-X was activated on the network-users computer. The by Microsoft so called "security-measures" are, as shown in such examples, easily worked around.

With the current stand, it can only be recommended to abstain from using MS-Internet-Explorer with Active-X. The user [that is the claim of CCC] must at least be prompted for agreement, before other sites may gain remote-control over his computer. Manipulation of files, like they were demonstrated in the case of Active-X, must not be possible.