Tangled Webs

   The RadioActive-X Awards
   Where do You Want to Glow Today?

Issue 2.15
Dec 12, 1997

In the first Tangled Webs of 1997, I discussed the severe security risks inherent in Active-X technology, and advised that Active-X controls be filtered out at the firewall, or at least disabled in the browser. That advice still holds.

Back in January, little concrete damage had been done by Active-X controls, but working with the technology convinced me it was a bomb waiting to go off. However, many quite understandably wanted to wait and see or assumed that Microsoft would resolve any security problems.

Over the past year, Microsoft has done little to resolve the security issues. Loading an Active-X control still gives full control of your computer to the site you are browsing. Microsoft did, however, launch an aggressive advertising campaign, and both Microsoft and various programming journals have given out awards to those who have developed useful and Interesting Active-X controls.

Sadly, no one has recognized the enterprising souls who fulfilled my predictions by creating malicious and destructive Active-X controls. And so, I feel obliged to create the RadioActive-X Awards to be given to the creators of those Active-X controls which have done the most to demonstrate the lack of security inherent in the technology. The envelopes please...

The Pioneer Award

Fred McLain's Internet Exploder was instrumental in demonstrating security holes in Active-X back in the early days (1996). A visitor to a website containing Internet Exploder would have their computer safely shut down unless they pressed the cancel button.

At the time, Netscape was giving cash awards to those who found security holes in Navigator, but Microsoft had a slightly different policy. Neither Microsoft nor VeriSign was thrilled by the demonstration, and Mr. McLain had his VeriSign developer's certificate revoked. He explains that pressure from the companies and fear of legal action forced him to remove the control from his website.

Junior Entrepreneurs Award

The Chaos Computer Club, a group of German Hackers developed an Active-X control with Quicken users in mind. A visit to their site could automatically transfer money from your bank account into theirs. This control was demonstrated on German national television, but like Internet Exploder, this Active-X control was for demonstration purposes only. No funds were actually stolen.

Quicken responded by announcing that it would be moving to an encrypted encrypted file format to make such hacking more difficult. They also advised Quicken users to disable Active-X if they used Internet Explorer.

The Runner Up

Proving that you can't keep a good programmer down, Fred McLain produced an Active-X control called The Outer Limits, which was demonstrated to an appreciate audience at Sun's JavaOne conference earlier this year.

This Active-X control begins by playing what looks like an innocent multimedia presentation. It then grabs control of the keyboard, and begins examining Quicken files for bank information and tax records. For a finale, it reformats the drive and pops out the CD-ROM drive with the message "Here's your cupholder!."

The Outer Limits scored highest in the wanton destruction category, but lost points because it was only run once, and only in front of people already well aware of the dangers of Active-X.

The Grand Prize Winner

Competition was tough this year, but David7 written by Beylen Telecom of the Cayman Islands stood far above crowd both in terms of overall impact and utter audacity. Unfortunately, Beylen Telecom is tied up in litigation and is thus unable to appear today to accept their award.

David7 was deployed as an image viewer at a number of pornography sites. Visitors had to download the control to see the porn. Once downloaded, however, David7 silently disconnected the user from their ISP, turned off their modem volume, and made an international call to Moldova, which was then routed back to a server in Texas. The porn sites then received a percentage of the over $2 per minute in long distance charges the visitors ran up.

The genius of this little Active-X control was that users remained connected to Moldova even if they left the porn sites or shut down their browsers. Only turning off the modem or restarting the computer would sever the connection.

Over 38,000 unwitting US consumers racked up more than $2.74 million in international long distance charges. Fortunately, the FTC negotiated a settlement, and refunds will be forthcoming.


Microsoft's response to these security problems has consistently been "users should not be running Active-X controls from untrusted sources." While blaming the victim is expedient and seems to play well in the mainstream press, it is not going over well on the Internet.

The Internet is a popular medium its strength and attraction is that any voice can be heard, but no one can force another to listen. It is a medium that is not and should not be controlled by anyone. It is the height of absurdity for Microsoft to suggest that it is somehow irresponsible to view content not created by well-known companies. Discovering a new site should bring feelings of anticipation, not fear.

Active-X controls are not nearly as common as Java on the Internet, but Microsoft is making sure the technology stays around. In Windows98, for example, upgrades are achieved via Active-X. Users will connect to Microsoft's site, where an Active-X control gives Microsoft full and unrestricted access to the users' computers. Microsoft will then make whatever changes it feels should be made to the visitor's computer.

I think we have a front runner for next year's awards.

[ Home Page] [ Back to Index ] [ Previous Issue ] [ Next Issue ]

© Copyright 1998, Tim Romero, t3@vanguardjp.com
Tangled Webs may be distributed freely provided this copyright notice is included.
The Tangled Webs Archive is located at http://www.dotco.com/t3/tangledwebs/index.shtml