Mircosoft's ActiveX is being widely touted as a "Java killer" because it
offers much more functionality than Sun Microsystems Java. The two
languages, however, are fundamentally different. Java restricts
applications to a set of safe actions. This provides solid security for the
user, but places limits on the usefulness of software written in Java.
ActiveX has no built-in restrictions. Code sent over the Internet can do anything that the user can. This makes ActiveX one of the most exciting and powerful development tools available, but with that power comes the potential for serious abuse.
To illustrate this point, Fred McLain of Apropos Inc., created the Internet Exploder. Loading the Exploder webpage on an ActiveX-enabled browser causes your computer to shut down. While, exploder does no real damage, a less benign control could just as easily reformat your hard drive. According to Mr. McLain, pressure from VeriSign has forced him to take Internet Exploder off the Net, but information about it is still available at his home page http://www.halcyon.com/mclain/ActiveX/.
So how does Microsoft propose to prevent this sort of abuse? Their answer,
simply put, is "trust us." Microsoft has proposed a code-signing system
called Authenticode which allows developers to embed a digital signature in
their ActiveX programs. This signature is then certified by an authority
such as VeriSign and cannot be altered without detection.
Assuming software authors provide VeriSign with accurate information, Authenticode ensures that ActiveX controls can be traced back to their authors. If signed software damages your system or deletes your data, you'll likely know where to go for recourse. Such accountability will probably deter many virus authors, but accountability is not security.
Authenticode completely sidesteps the real security and privacy issues at stake. Authenticode provides no assurance that a program will not damage your system and provides the user with no information about what the software will actually do. Furthermore, since signed code may be downloaded and executed automatically, there may be no way to even know that an ActiveX control is running on your machine.
ActiveX will allow software companies to check for and delete unregistered copies of their software from your machine or to alter your system registry to cripple software published by their competition. Tax authorities could retrieve your Quicken files and compare them with your tax returns. And with a bit of careful programming, all this could be done without your knowledge.
A well written control would leave no trace of itself, and would have to be "caught in the act" to be traced by it's VeriSign signature. However, even if you are able to track down the person who stole next quarter's business projections, the damage has already been done. In this sense Authenticode provides no security at all. Security is not about catching the thief, but preventing the theft.
It is important to keep in mind that the security holes in ActiveX are not
the result of bugs or mistakes in the implementation. ActiveX is designed
to work in exactly this manner. In fact, it looks as if things will get
worse before they get better. While Microsoft is not directly addressing
these security concerns, it has committed to extending the functionality of
ActiveX. Office97, for example, provides much greater ActiveX
compatibility, and Internet Explorer will be merged with the Windows
Explorer in Windows97 to form a single ActiveX control.
Fortunately, it is relatively easy to prevent your browser from downloading and running ActiveX controls. At the moment ActiveX controls can only affect Windows95 and NT users running Internet Explorer 3.0 or later. Users of other browsers and platforms have nothing to worry about.
If you are running Explorer and Windows95 or NT select options, go to the security tab and disable all three references to ActiveX and Active content. Despite Microsoft's implications to the contrary, the "high security" setting alone will not protect you from any of the dangers mentioned in this article. ActiveX itself must be completely disabled.
|[ Home Page]||[ Back to Index ]||[ Previous Issue ]||[ Next Issue ]|