Intuit warns against ActiveX

By Nick Wingfield
February 17, 1997, 4:45 p.m. PT

Intuit (INTU) probably wishes it had never heard of ActiveX.

The company swung into damage control today after reports continued to surface that German hackers used an ActiveX control to make unauthorized bank transfers with Intuit's Quicken financial software. Intuit issued recommendations for a "simple, common-sense approach" to safe Net surfing, going so far as to suggest that fidgety users stop using ActiveX controls entirely.

"Customers who are concerned about the safety of ActiveX controls should consider disabling the ActiveX capability in their browser or using a browser such as Netscape Navigator which does not support ActiveX," Intuit said in a statement.

As previously reported, a German group of hackers known as the Chaos Computer Club created an ActiveX control that is able to snatch money from one bank account and deposit it into another without having to enter the personal identification number. Chaos demonstrated the ActiveX control on German national television in late January.

The U.S. version of Quicken is not susceptible to hacker attacks that involve stealing money from an account and depositing it into an unauthorized one--the attack that the Chaos hackers simulated. U.S. customers can use Quicken only to transfer money between "pre-authorized" accounts, such as a user's checking and savings accounts.

Intuit said today that it will introduce a new German version of Quicken that encrypts the program's data files, a move that will make it less susceptible to hacking.

Nevertheless, the incident underscores something that the creator of ActiveX, Microsoft (MSFT), and most computer security experts have known for some time: ActiveX is not secure.

While Java applets are prevented from performing certain tasks such as erasing files from a user's hard disk, ActiveX controls--small Internet programs that work mainly through the Internet Explorer browser--are able to do virtually anything on a user's computer that a programmer can dream up, including installing a destructive virus.

Instead of the "sandbox" model that cordons off Java applets from other applications, Microsoft has created an "accountability" security system called Authenticode. The system allows software publishers to stamp their controls with a digital signature.

If a control does something bad to a user's computer, the publisher can then be tracked down and prosecuted. In other words, the Authenticode system does not protect against malicious code; it simply makes it easier to find out who wrote it.

But if the programmer wants to hide, Authenticode offers little protection. And it's easy for users to unwittingly accept an unsigned ActiveX control if they get lazy or frustrated by the Authenticode warning window. The Chaos club's ActiveX control, for example, is not signed. Once it is accepted by an Internet Explorer user, the program is free to do its work.

"What this incident tells us is you cannot take candy from strangers," said Cornelius Willis, group product manager at Microsoft. "The thing I'm hoping users get out of this is that they should not be running any executable code that is anonymous."

Intuit today issued their own warning that users should heed their browsers when they warn of ActiveX controls and any other software that is not digitally signed.

"Intuit takes great precautions to help guard the safety of customers' financial information in Quicken," Intuit senior vice president Eric Dunn said in statement. "These measures, together with users' common sense precautions against using unknown ActiveX controls or other downloaded software, provide a high level of security."