Microsoft security flaws run deep
When it comes to Internet security, Microsoft is caught between a rock and a hard place.
In a little more than a year, the software giant has succeeded in becoming an Internet leader, rapidly embracing the Internet with several of its existing desktop technologies, including the Windows 95 and NT operating systems and its component object model (COM).
But a growing number of security experts are questioning whether such a radical makeover of its technologies--technologies that were not originally designed to work on the Internet--has forced the company to compromise the security of its products. In fact, they say, Microsoft's desktop legacy might bring with it certain liabilities.
The questions stem from a recent spate of security incidents involving the company's Internet Explorer Web browser and ActiveX. Although the incidents centered around different features of the browser, they can all be traced to fundamental Windows technologies created before Microsoft moved to adapt to the Internet.
One of those technologies, ActiveX, is increasingly coming under fire for its security problems. ActiveX is a component architecture that allows miniature programs written in programming languages such as C and C++ to run inside of ActiveX "containers" such as Explorer 3.0. The technology was created last year using the underpinnings of a five-year-old object technology, COM.
While Java programs are blocked off from the rest of the desktop by a security "sandbox," ActiveX controls are free to roam a user's computer, erasing files or installing viruses if they please. (ActiveX controls can also be written in Java, but then they sacrifice Java's security features.)
Instead of a sandbox, Explorer relies for security on what Microsoft calls an Authenticode system. Authenticode checks to see whether ActiveX controls have been digitally signed by a "trusted" publisher and issues warnings to users each time the browser encounters an unrecognized piece of code. If the user ignores the warning, all bets are off.
"It is analogous to saying that license plates prevent accidents or malicious damage," said Eric Brewer, a computer science professor at U.C. Berkeley. "Just as you can find your car dented in the parking lot, you may find your machine or privacy damaged after the fact without being able to tie it to a particular control, certified or not."
Microsoft tenaciously defends its trust-based security model. But executives do admit that it's not technically possible for them to put a sandbox around native C and C++ ActiveX controls.
"The sandbox and native [code] are [antithetical]," said Cornelius Willis, director of platform marketing at Microsoft. "If you put a sandbox around them, you would eliminate the reasons why people want to use them."
Those reasons, Willis argues, involve giving developers access to a greater range of capabilities on users' PCs than is possible with Java. But analysts say the security risk of this approach may outweigh the benefits of richer, more powerful ActiveX programs. Furthermore, because Microsoft has revamped its older COM technology to work over the Internet, analysts say the company is caught in a bind.
"It is, in fact, the flip side of the maturity of ActiveX that is giving Microsoft this exposure," said Stan Dolberg, director of software services for Forrester Research.
One developer who worked on the original Java team at Sun echoed those sentiments, arguing that the richness of ActiveX programs are not worth the security risks.
"Microsoft has an enormous amount of legacy code," said Arthur Van Hoff, chief technology officer at Marimba and one of the original Java developers at Sun. "How are you going to fit security onto that? Realistically, there's no way to do that. Java is really the right way to do security.
"Java is a much harder sell [than ActiveX]," he added. "It makes huge assumptions that people are willing to throw out existing code. But if you do that, you have a secure system."
Microsoft is scrambling to fill the security holes as they materialize.
But ActiveX is not the only security headache Microsoft is suffering. There are also problems with its Internet Explorer browser.Earlier this week, the company worked around the clock to fix a hole related to ".url" and ".lnk" files, commonly known as Windows 95 and NT Shortcuts. A group of students found that by planting Shortcuts on a Web site they could trigger resident Windows 95 and NT programs to delete and manipulate files on a user's computer. Users who receive Shortcuts through email and newsgroups face the same risks.
Users of Netscape Communications' Navigator were not affected by the glitch. But analysts speculate that Microsoft could not have foreseen the potential security risks of using Shortcuts in the Internet space.
"There's a na?vete in the whole story about how the desktop and the Internet can be seamlessly linked," Dolberg said.
Microsoft executives said they would consider eliminating support for Shortcuts in Explorer if enough users requested it. But today, another group of students claim to have discovered an unrelated security hole that could also allow hackers to access files on users' computers.
The company could run into new security problems when it releases Internet Explorer 4.0 later this year, which will be even more thoroughly integrated with its operating systems.
"I would say that you have to seriously question the integrity of Internet Explorer at this point because this was such a big hole," said Stephen Cobb, director of special projects at the National Computer Security Association. "Microsoft's statement that they do a lot of testing is worrying, because if they did a lot of testing and didn't find this problem, their testing is very flawed."
Microsoft says that its technologies have been singled out for criticism, while the security risks of other executable code, including plug-ins that work with Navigator and Java applets, have been ignored.
"This is the big delusion that is so pervasive," said Willis. "You can single out this [ActiveX] component architecture, but none of this stuff is safe."
Some analysts believe that more bugs are appearing in Microsoft's Internet technology simply because more people are scrutinizing it than any other company's products.
"They are held to a higher standard than the other guys," said Rob Enderle, a senior industry analyst at Giga Information Group. "It's not a case of them being less competent. It's that they are expected to be more competent because they have so much stuff out there."
To be sure, Java does not provide a complete protection against hacker attacks. (See related story)
Furthermore, some analysts say Java security is beginning to resemble that of ActiveX more and more. In the latest release of the Java Development Kit, developers can allow their applets to go outside the sandbox to perform certain tasks like reading or writing files to a hard disk. However, Java supporters say the technology will still provide tighter protections than ActiveX by limiting what an applet can do.
"The issue is whether you give them carte blanche access or you give developers constrained access," said Jeff Treuhaft, director of security platform and tools at Netscape.
The debate over Internet security risks will certainly rage on as long as the network is around. Fortunately, the majority of security holes have been discovered by hackers more intent on exposing the holes than maliciously exploiting them.
There are, of course, exceptions. Earlier this year, several adult Web sites tricked thousands of users into downloading a special program that surreptitiously made expensive long distance calls to Moldova. The program worked with any Web browser.
Security experts are critical of vendors who downplay security breaches because they haven't been widely abused by unscrupulous hackers. Even if no one's computer is actually hurt by a security hole, companies have to spend time and money to patch up their systems, said Cobb of NCSA referring to Microsoft's actions following the IE Shortcuts glitch.
"It's difficult [for Microsoft] to weasel its way out with the 'it does no damage' excuse, because systems administrators are already looking at a big cost hit," he said. 