Actively defending ActiveX

By Nick Wingfield
February 19, 1997, 1 p.m. PT

Microsoft (MSFT) wants to remind users that ActiveX isn't the only tool for writing malicious programs.

Today, the company set up a Web site, the Web Executable Security Advisor, to spread word of the power and pitfalls of other Internet programming technologies, including Java. The company decided to set up the site after a highly publicized incident in which a group of German hackers showed how an ActiveX control could be used to trigger unauthorized bank transactions.

Microsoft officials argue that any executable code, be it a Java applet, a Netscape plug-in, or a macro program, brings security risks. With these technologies, it is technically possible to do "malicious" things like reformatting a user's hard drive or installing a virus on their systems.

However, Microsoft acknowledges that Sun Microsystems has made it much more difficult to perform malicious acts through Java by creating a virtual "sandbox." The sandbox prevents applets from potentially risky maneuvers such as reading or writing files on a hard disk. However, Microsoft said that some Java developers, those at [14]Marimba among them, are beginning to break through the sandbox so that they can store their programs on a user's computer, something that could compromise the security of a PC.

"While the Java sandbox enforces a high degree of security, it does not let users download and run exciting multimedia games or other full-featured programs on their computers," a statement on Microsoft's security site reads. "As a result, users may want to download code that has full access to their computers' resources."

Unlike Java, ActiveX controls--programs that run mainly inside of Microsoft's Internet Explorer browser--are not cordoned off by a sandbox. Instead, Microsoft has created an "accountability" security system called Authenticode that allows software publishers to stamp their controls with a digital signature.

If a control does something bad to a user's computer, the publisher can then be tracked down and prosecuted. In other words, the Authenticode system does not protect against malicious code; it simply makes it easier to find out who wrote it. Microsoft urges users to shy away from publishers that haven't signed their code.

"If people let a stranger in the house and the stranger tied them up and stole their VCR," asked Tod Nielsen, general manager of developer relations at Microsoft, "do they go to the police or move into another house? Executable software holds the potential to do great things, but it also holds the potential to some malicious things."

So far though, most of the "malicious" code written either with Java or ActiveX does not appear to have been created by malicious programmers. Perhaps as a result, many users do seem panicked by the Chaos Computer Club's recent ActiveX demonstration.

"If you are worried about someone putting a malicious program on your machine you better remove your modem, CD-ROM and floppy drive from your machine and let only yourself use your keyboard," wrote one user in Microsoft's microsoft.public.activex.controls.webbrowser newsgroup. "This is the only way of protecting your machine completely."

Still, other users expressed more concern that programs might inadvertently hurt their computers.

"The thing that scares me about [ActiveX] is not malicious people so much as incompetent ones," wrote another user on the same newsgroup. "Look at what [Microsoft] betas can do to an installation, look at the questions of Visual Basic authors on the newsgroups, and imagine those people installing [ActiveX] controls onto your machine."

Microsoft's security Web site also said that it would host a discussion with customers in mid-spring to discuss Internet security.