ActiveX has no built-in restrictions. Code sent over the Internet can do anything that the user can. This makes ActiveX one of the most exciting and powerful development tools available, but with that power comes the potential for serious abuse.

To illustrate this point, Fred McLain of Apropos Inc., created the Internet Exploder. Loading the Exploder webpage on an ActiveX-enabled browser causes your computer to shut down. While, exploder does no real damage, a less benign control could just as easily reformat your hard drive. According to Mr. McLain, pressure from VeriSign has forced him to take Internet Exploder off the Net, but information about it is still available at his home page http://www.halcyon.com/mclain/ActiveX/.

Assuming software authors provide VeriSign with accurate information, Authenticode ensures that ActiveX controls can be traced back to their authors. If signed software damages your system or deletes your data, you'll likely know where to go for recourse. Such accountability will probably deter many virus authors, but accountability is not security.

Authenticode completely sidesteps the real security and privacy issues at stake. Authenticode provides no assurance that a program will not damage your system and provides the user with no information about what the software will actually do. Furthermore, since signed code may be downloaded and executed automatically, there may be no way to even know that an ActiveX control is running on your machine.

ActiveX will allow software companies to check for and delete unregistered copies of their software from your machine or to alter your system registry to cripple software published by their competition. Tax authorities could retrieve your Quicken files and compare them with your tax returns. And with a bit of careful programming, all this could be done without your knowledge.

A well written control would leave no trace of itself, and would have to be "caught in the act" to be traced by it's VeriSign signature. However, even if you are able to track down the person who stole next quarter's business projections, the damage has already been done. In this sense Authenticode provides no security at all. Security is not about catching the thief, but preventing the theft.

Fortunately, it is relatively easy to prevent your browser from downloading and running ActiveX controls. At the moment ActiveX controls can only affect Windows95 and NT users running Internet Explorer 3.0 or later. Users of other browsers and platforms have nothing to worry about.

If you are running Explorer and Windows95 or NT select options, go to the security tab and disable all three references to ActiveX and Active content. Despite Microsoft's implications to the contrary, the "high security" setting alone will not protect you from any of the dangers mentioned in this article. ActiveX itself must be completely disabled.