Want CNET to notify you of price drops and the latest stories?

Sun pays for ActiveX attack

JavaOne Sun makes a big splash showing ActiveX security flaws. What it didn't say is that it paid to have the holes exploited.

3 min read
JavaOne SAN FRANCISCO--At JavaOne this morning, Scott McNealy wanted badly to show that Microsoft's (MSFT) ActiveX is clearly inferior to its chief rival from his own company, Java. So badly that he invited an expert, Fred McLain, to demonstrate how ActiveX controls can be abused.

But the chief executive of Sun Microsystems (SUNW) failed to disclose one thing: McNealy paid McLain to exploit the technology's well-known security flaws.

Taking public shots at one's rivals is hardly new in high technology or any other industry. However, the commissioning of such a demonstration seemed unusual even to those familiar with the bare-knuckled competition that has become a trademark of Silicon Valley.

"I can't think of an instance where a company has hired someone to find bugs in a rival's program," said Karen Coyne, Western regional director of Computer Professionals for Social Responsibility and organizer of an upcoming conference on the ethics of electronic commerce.

Sun's actions might have been out of the ordinary, but Coyne did not find them unethical. "If instead of Sun it were a professor at a university, this would be considered a scientific experiment," she said. "Since it's a rival, we know Sun has a [competitive] reason for doing this, but by networking computers together and passing around information, we've upped the ante of our mistakes."

McLain, the man who created the ActiveX "Internet Exploder" control to highlight the lack of security in Microsoft's Web browser, took the stage during today's JavaOne keynote to demonstrate a new ActiveX control--a small executable piece of software--that once downloaded from the Internet takes over a user's computer.

The control, dubbed "Outer Limits," was created for demonstration purposes only. Running on a Windows 95 machine, it reformatted the system's floppy drive, searched for sensitive financial information, and sent commands to peripherals such as the CD-ROM drive.

Sun had heard about McLain's work and paid him $6,000 to hire subcontractors and finish the control in time for today's demo, according to the company's Java evangelist, Miko Matsumura.

"He'd been working on the 'Runner' control, but I convinced him that he could do better," Matsumura said.

Matsumura is listed as "executive producer" in the credits at the end of the demonstration, which proved at once frightening and funny. Not only does it invade TurboTax and Quicken files to look up a person's net worth, but it also pops open the CD-ROM drive with the message, "Here's your cupholder!"

Sun, which earns license fees from the Java Development Kit, is pushing the programming language as the method of choice for distributing applications and information over the Internet and, therefore, has a large stake in discrediting ActiveX. It was not clear whether Sun's exhibit had done the Internet community a favor or advanced its own corporate interests--or both.

Cornelius Willis, director of platform marketing at Microsoft, said the demonstration was "consistent with their etiquette."

As with the Exploder control, which shuts down any computer that downloads it, McLain has certified Outer Limits so that it passes through Explorer's Authenticode security system. Unlike Exploder, Outer Limits will not be made publicly available.

The control can do damage without subverting ActiveX's Authenticode security system, which alerts the user that a control is about to download, identifies its creator, and asks if the user wants to refuse it. If the answer is no, the browser downloads the control.

Once downloaded, it runs through a series of processes to demonstrate what ActiveX code can do when downloaded to a hard drive. All of the processes have been publicly demonstrated before--for example, the German Chaos Computer Club showed in February how to transfer money from a PC-based bank account--but the latest McLain control packages them all into one demonstration.

Whereas ActiveX controls can gain access to hard drive resources and overwrite or delete files, Java applets downloaded through a browser are kept within a security "sandbox" that does not allow access to any system resources.

Attention-grabbing as the demonstration was, Sun still wasn't completely satisfied.

"We worked on it until the last minute," Matsumura said. "What we wanted to do, but didn't complete in time, was to open IE, set its security parameters to minimum, then download Exploder, which would kill the machine and end the demo."