ActiveX used as hacking tool
By Nick Wingfield
February 7, 1997, 5:15 p.m. PT
The Chaos Computer Club, a band of hackers
from Hamburg, showed the real power of ActiveX last week.
On German national television, they showed off an ActiveX control that is
able to snatch money from one bank account and deposit it into another, all
without the customary personal identification number (PIN) that is meant to
Once it is downloaded from a Web site, the control scans a user's computer
popular Quicken finance software. The ActiveX control then tricks Quicken
into transferring funds from one bank account to another the next time a
user logs on to a banking service.
The incident underscores something that Microsoft
the creator of ActiveX, and most computer security experts have known for
some time: Its programs are not secure. While Java applets are prevented
from performing certain tasks such as erasing files from a user's hard disk,
ActiveX controls--small Internet programs that work mainly through the
Internet Explorer browser--are able to do virtually anything on a user's
computer that a programmer can dream up, including installing a destructive
Instead of the "sandbox" model that cordons off Java applets, Microsoft has
created an "accountability" system, called Authenticode, which allows
software publishers to stamp their controls with a digital signature. If a
control does something bad to a user's computer, the publisher can be
tracked down and prosecuted. In other words, the Authenticode system does
not protect against malicious code; it simply makes it easier to find out
who wrote it.
But it's easy for users to unwittingly accept an unsigned ActiveX control if
they get lazy or frustrated by the Authenticode warning window. The Chaos
club's ActiveX control, for example, is not signed. Once it is accepted by
an Internet Explorer user, the program is free to do its work.
Microsoft officials said today that they are working to inform users more
about the capabilities, good and bad, of ActiveX. Within the next two weeks,
the company will kick off an educational campaign that focuses on security
"What this incident tell us is you cannot take candy from strangers," said
Cornelius Willis, group product manager at Microsoft. "The thing I'm hoping
users get out of this is that they should not be running any executable code
that is anonymous."
To be sure, security risks are involved in using any program, even if it
comes off a retail store shelf. But security experts said today that the
combination of the Internet and sensitive applications such as online
banking can lead to a greater risk of security breaches.
"We're deploying stuff which has, on the one hand, tremendous positive
potential and, on the other, huge potential for malicious exploitation,"
said Stephen Cobb, director of special projects at
National Computer Security Association
consultancy. "All computer technology has been like that to some extent. But
what is different in this context is there is this huge push to deploy
online banking and commerce."