ActiveX used as hacking tool

The Chaos Computer Club, a band of hackers from Hamburg, showed the real power of ActiveX last week.

On German national television, they showed off an ActiveX control that is able to snatch money from one bank account and deposit it into another, all without the customary personal identification number (PIN) that is meant to protect theft.

Once it is downloaded from a Web site, the control scans a user's computer for Intuit's (INTU) popular Quicken finance software. The ActiveX control then tricks Quicken into transferring funds from one bank account to another the next time a user logs on to a banking service.

The incident underscores something that Microsoft (MSFT), the creator of ActiveX, and most computer security experts have known for some time: Its programs are not secure. While Java applets are prevented from performing certain tasks such as erasing files from a user's hard disk, ActiveX controls--small Internet programs that work mainly through the Internet Explorer browser--are able to do virtually anything on a user's computer that a programmer can dream up, including installing a destructive virus.

Instead of the "sandbox" model that cordons off Java applets, Microsoft has created an "accountability" system, called Authenticode, which allows software publishers to stamp their controls with a digital signature. If a control does something bad to a user's computer, the publisher can be tracked down and prosecuted. In other words, the Authenticode system does not protect against malicious code; it simply makes it easier to find out who wrote it.

But it's easy for users to unwittingly accept an unsigned ActiveX control if they get lazy or frustrated by the Authenticode warning window. The Chaos club's ActiveX control, for example, is not signed. Once it is accepted by an Internet Explorer user, the program is free to do its work.

Microsoft officials said today that they are working to inform users more about the capabilities, good and bad, of ActiveX. Within the next two weeks, the company will kick off an educational campaign that focuses on security issues.

"What this incident tell us is you cannot take candy from strangers," said Cornelius Willis, group product manager at Microsoft. "The thing I'm hoping users get out of this is that they should not be running any executable code that is anonymous."

To be sure, security risks are involved in using any program, even if it comes off a retail store shelf. But security experts said today that the combination of the Internet and sensitive applications such as online banking can lead to a greater risk of security breaches.

"We're deploying stuff which has, on the one hand, tremendous positive potential and, on the other, huge potential for malicious exploitation," said Stephen Cobb, director of special projects at National Computer Security Association consultancy. "All computer technology has been like that to some extent. But what is different in this context is there is this huge push to deploy online banking and commerce."