The New York Times - Cybertimes article

Hackers Go on TV to Show Perils in ActiveX

By TODD KRIEGER

group of youthful German hackers rattled the Web publishing industry last week when they took to the airwaves to demonstrate the potential hazards of ActiveX. It was just the latest in a series of dire warnings about security problems involving the technology that Microsoft is determined to push everywhere on the Internet.

In a staged appearance on German national television, members of the Chaos Computer Club of Hamburg demonstrated how an ActiveX control could effectively pilfer funds from one bank account and deposit it in another, with none of the clearances, like a PIN number, that are usually required.

While this particular control accomplished these actions by searching a user's hard-drive for Quicken, the popular money-management software from Intuit, there is no reason that other such controls might not focus their attentions on other financial mechanisms, like stock portfolios, that might be stored on a PC.

This specific demonstration was a purely hypothetical situation, but it added further proof of something that many Internet developers and publishers have been concerned about for some time: the inherent insecurity of ActiveX. For as exciting as the new technology can be, enabling developers and programmers to leverage existing programs on a client's machine, it also opens up a Pandora's box of security issues.

As Karl Jacob, the chief executive and president of Dimension X, a Java-based multimedia tools company in San Francisco, put it, "What you have to wonder is if these guys went on German TV and publicized it, what is somebody else in a garage putting together that could be even worse."

An ActiveX control operates through the Internet Explorer browser and unlike Java, which is sectioned off in a "sandbox" environment, these controls are free to engage in whatever mischief a programmer's mind can dream up -- be it sequestering funds or tweaking a user's modem to redial and connect to the Internet in a vastly more expensive fashion.

Scott Fraize, director of technology at AlphaBlox, an Internet Software Developer, said he was wary of the trade-off. "Microsoft, in their rush to the marketplace is willing to compromise security for performance," he said. "Java was created from the ground-up and Microsoft doesn't want to pay that kind of overhead."

Simson Garfinkel, technology columnist for HotWired, has long said there were dangers in Microsoft's Internet plans. "ActiveX controls that are written in machine code are inherently unsafe on operating systems such as Windows95 and MacOS that do not provide for protection between different tasks and programs," he said in an interview.

And as Mr. Jacob is quick to point out, "You could never do anything like this in Java, because it has no access to files on a machine from an applet." An additional danger is that as ActiveX is so strongly tied to the Windows platform, the large community of developers and programmers already versed in languages like C++ and Visual Basic can also spin out potentially malicious controls.

The response from Microsoft has been subdued, with the emphasis being not so much on the potential hazards of controls, but on the point that the user must be more cautious. Cornelius Willis, group product manager for Internet platforms at Microsoft, said: "All executable content is potentially dangerous. You simply don't download anonymous controls. People need to be very careful about who they let into their house."

In extolling users to be more careful, Mr. Willis suggests that browsers utilizing the "medium" or "high" security setting would be warned that the control they were about to download was potentially dangerous. Mr. Willis also points out that Microsoft, unlike Netscape or Sun, has put in place an accountability system, Authenticode, which provides for tracking of these controls and verification of their credibility. "For example a certificate would be attached to the Chaos Computer Club Control and if the next time a user were to log-on and find money missing, he could track the mechanism back to Hamburg,'' he said. "The criminal justice system works and recourse is available."

But to many users the notion of regaining stolen funds from a group in Hamburg could seem daunting, to say the least.

This is but one of the hurdles that Microsoft has to face as it continues to push ActiveX.

In addition to the security issues, there is widespread dismay over the platform dependency of ActiveX, as more and more dynamic programs are made available solely through a Windows environment, effectively diminishing the user's option to go with other machines.

Related Sites

Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be able to return to this page by clicking on your Web browser's "Back" button or icon until this page reappears.

The original story
Chaos Computer Club

zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Friday | 29.Mar.2024