Microsoft steps up Web security Vendor creates educational program, joins industry alliance amid hack attacks

By Bob Trott

Publication Date: March 3, 1997 (Vol. 19, Issue 9)

Nonplussed that its ActiveX technology has been singled out as a security risk, Microsoft is addressing growing concerns about security issues surrounding executable code that is downloaded from the Internet.

The software giant has created a program, the Web Executable Security Adviser, that includes a dedicated Web site, mail lists, educational programs, and other ways to get information on threats such as those posed by anonymously distributed executable code.

But just as Microsoft was stepping up its ActiveX security efforts late last month, another of its 'net products suffered a blow when a security flaw in Internet Information Server 3.0 emerged that could expose passwords and other sensitive data. The bug, which affects any script-mapped files, allows users to view all the contents of an Active Server Page by merely typing a period after the file name in the browser's URL window. With the period at the end, the file name is read to the client by the server and is displayed to the end-user instead of being executed, Microsoft officials conceded.

"It's always the case with the Internet that there's a heightened need for tight security," said Mike Nash, marketing director for Windows NT Server and infrastructure products.

Concerns about security have grown as users increasingly put more valuable, sensitive information, such as credit card numbers, bank account information, and other financial data, on the 'net. And ActiveX has been the subject of two recent high-profile hacking cases.

Last month, a group of hackers went on national television in Germany and showed how to use an ActiveX control to get financial information stored on a PC by searching the hard drive for Intuit's Quicken money-management software.

And recently a Seattle programmer posted a control called Exploder that shut down Internet Explorer users' PCs when they logged on to the page.

Microsoft officials insist ActiveX is safe because of the Authenticode technology built into Internet Explorer 3.0. Authenticode verifies that downloaded code has not been tampered with and identifies the creator in a digital certificate.

One analyst agreed -- for straightforward GUI-enhancing capabilities.

"There aren't a whole lot of inherent risks in those objects," said Evan Quinn, an analyst with International Data Corp., in Framingham, Mass. But "when building for commerce, the lack of an inherent security model might be problematic. When someone is building something that sophisticated, they should know that and be sophisticated about security, too."

Microsoft also teamed last week with Cisco Systems and other companies, including Hewlett-Packard, Oracle, and VeriSign, in an initiative called the Cisco Enterprise Security Alliance to improve security between clients, servers, and network infrastructure technologies.

Microsoft Corp., in Redmond, Wash., is at (206) 936-8080 and http://www.microsoft.com.

Usefulness vs. security

Although ActiveX controls are inherently less secure than Java applets, Microsoft says the qualities that could make ActiveX a security threat also make the controls flexible enough to perform functions such as remote administration