Actively defending ActiveX
By Nick Wingfield
February 19, 1997, 1 p.m. PT
Microsoft (MSFT) wants to remind users that ActiveX isn't the
only tool for writing malicious programs.
Today, the company set up a Web site, the Web Executable Security
Advisor, to spread word of the power and pitfalls of other Internet
programming technologies, including Java. The company decided to set
up the site after a highly publicized incident in which a group of
German hackers showed how an ActiveX control could be used to trigger
unauthorized bank transactions.
Microsoft officials argue that any executable code, be it a Java
applet, a Netscape plug-in, or a macro program, brings security risks.
With these technologies, it is technically possible to do "malicious"
things like reformatting a user's hard drive or installing a virus on
However, Microsoft acknowledges that Sun Microsystems has made it
much more difficult to perform malicious acts through Java by creating
a virtual "sandbox." The sandbox prevents applets from potentially
risky maneuvers such as reading or writing files on a hard disk.
However, Microsoft said that some Java developers, those at
Marimba among them, are beginning to break through the sandbox so
that they can store their programs on a user's computer, something
that could compromise the security of a PC.
"While the Java sandbox enforces a high degree of security, it does
not let users download and run exciting multimedia games or other
full-featured programs on their computers," a statement on Microsoft's
security site reads. "As a result, users may want to download code
that has full access to their computers' resources."
Unlike Java, ActiveX controls--programs that run mainly inside of
Microsoft's Internet Explorer browser--are not cordoned off by a
sandbox. Instead, Microsoft has created an "accountability" security
system called Authenticode that allows software publishers to stamp
their controls with a digital signature.
If a control does something bad to a user's computer, the publisher
can then be tracked down and prosecuted. In other words, the
Authenticode system does not protect against malicious code; it simply
makes it easier to find out who wrote it. Microsoft urges users to shy
away from publishers that haven't signed their code.
"If people let a stranger in the house and the stranger tied them up
and stole their VCR," asked Tod Nielsen, general manager of developer
relations at Microsoft, "do they go to the police or move into another
house? Executable software holds the potential to do great things, but
it also holds the potential to some malicious things."
So far though, most of the "malicious" code written either with Java
or ActiveX does not appear to have been created by malicious
programmers. Perhaps as a result, many users do seem panicked by the
Chaos Computer Club's recent ActiveX demonstration.
"If you are worried about someone putting a malicious program on your
machine you better remove your modem, CD-ROM and floppy drive from
your machine and let only yourself use your keyboard," wrote one user
in Microsoft's microsoft.public.activex.controls.webbrowser newsgroup.
"This is the only way of protecting your machine completely."
Still, other users expressed more concern that programs might
inadvertently hurt their computers.
"The thing that scares me about [ActiveX] is not malicious people so
much as incompetent ones," wrote another user on the same newsgroup.
"Look at what [Microsoft] betas can do to an installation, look at the
questions of Visual Basic authors on the newsgroups, and imagine those
people installing [ActiveX] controls onto your machine."
Microsoft's security Web site also said that it would host a
discussion with customers in mid-spring to discuss Internet security.