wants to remind users that ActiveX isn't the only tool for writing malicious programs.
Today, the company set up a Web site, the Web Executable Security
Advisor, to spread word of the power and pitfalls of other Internet programming technologies, including Java. The company decided to set up the site after a highly publicized incident in which a group of German hackers showed how an ActiveX control could be used to trigger unauthorized bank transactions.
Microsoft officials argue that any executable code, be it a Java applet, a Netscape plug-in, or a macro program, brings security risks. With these technologies, it is technically possible to do "malicious" things like
reformatting a user's hard drive or installing a virus on their systems.
However, Microsoft acknowledges that Sun
Microsystems has made it much more difficult to perform malicious acts
through Java by creating a virtual "sandbox." The sandbox prevents applets from
potentially risky maneuvers such as reading or writing files on a hard
disk. However, Microsoft said that some Java developers, those at Marimba among them, are beginning to break through
the sandbox so that they can store their programs on a user's
computer, something that could compromise the security of a PC.
"While the Java sandbox enforces a high degree of security, it does not let
users download and run exciting multimedia games or other full-featured
programs on their computers," a statement on Microsoft's security site
reads. "As a result, users may want to download code that has full access
to their computers' resources."
Unlike Java, ActiveX controls--programs that run mainly inside of
Microsoft's Internet Explorer browser--are not cordoned off by a sandbox.
Instead, Microsoft has created an "accountability" security system called
Authenticode that allows software publishers to stamp their controls with a
If a control does something bad to a user's computer, the publisher can
then be tracked down and prosecuted. In other words, the Authenticode
system does not protect against malicious code; it simply makes it easier
to find out who wrote it. Microsoft urges users to shy away from publishers
that haven't signed their code.
"If people let a stranger in the house and the stranger tied them up and
stole their VCR," asked Tod Nielsen, general manager of developer relations
at Microsoft, "do they go to the police or move into another house?
Executable software holds the potential to do great things, but it also
holds the potential to some malicious things."
So far though, most of the "malicious" code written either with Java or
ActiveX does not appear to have been created by malicious programmers.
Perhaps as a result, many users do seem panicked by the Chaos Computer
Club's recent ActiveX demonstration.
"If you are worried about someone putting a malicious program on your
machine you better remove your modem, CD-ROM and floppy drive from your
machine and let only yourself use your keyboard," wrote one user in
Microsoft's microsoft.public.activex.controls.webbrowser newsgroup. "This
is the only way of protecting your machine completely."
Still, other users expressed more concern that programs might inadvertently
hurt their computers.
"The thing that scares me about [ActiveX] is not malicious people so much
as incompetent ones," wrote another user on the same newsgroup. "Look at
what [Microsoft] betas can do to an installation, look at the questions of
Visual Basic authors on the newsgroups, and imagine those people installing [ ActiveX]
controls onto your machine."
Microsoft's security Web site also said that it would host a discussion
with customers in mid-spring to discuss Internet security.