Sun CEO Scott McNealy gives his keynote address at the second day of JavaOne.
Photo by Donald R. Winslow, CNET
McNealy is known for publicly slinging stones at Microsoft, but today he bolstered his rhetoric by demonstrating an ActiveX control that allegedly proved his point: the control swiped financial and tax information from a Windows 95 computer.
That set the stage for McNealy to try to prove Java's superiority compared to ActiveX.
First of all, he said, Java gives customers more freedom of choice when it comes to purchasing software. Because Java applications can run on a broad range of operating systems whereas ActiveX is a Windows-only technology, users aren't as dependent on a single vendor's products, namely Microsoft.
"For the first time, the customer is in charge," McNealy said. "That bums some people out in the industry."
McNealy also tried to allay fears that either Microsoft or Sun would "hijack" Java or control its future by keeping tight control over its programming interfaces. Sun argues that Java is now a de facto industry standard driven by market momentum rather than the strategic needs of any one company, including Sun.
"Is somebody going to hijack Java?" he asked. "Can Xerox hijack Ethernet? I don?t feel like we can hijack it. Somebody will just engineer us away."
McNealy has hit upon that theme before. But he demonstrated a whole new level of aggressiveness with his demonstration of the the "Outer Limits" control intended to demonstrate his criticisms of ActiveX security.
Miko Matsumura, Sun's Java evangelist, demonstrated the control performing a number of malicious attacks on a Windows 95 computer. Outer Limits was created by Fred McLain, a programmer who gained notoriety last year for creating the "Internet Exploder" control. Exploder was programmed to shut down any computer used to download it.
The Outer Limits control is similar to another ActiveX control created by a group of German hackers earlier this year to make unauthorized bank transactions with Intuit's popular Quicken financial software. In addition to scanning for bank files on the PC, the control also retrieved tax data from a tax preparation application.
McLain said he wrote the Exploder and Outer Limits controls to demonstrate what is possible to do with ActiveX. "I wrote Exploder as a dramatic, nondangerous demonstration," he said today.
To security experts and many Internet users, however, McLain's demonstration proved nothing they didn't already know.
Unlike Java applets, ActiveX controls are not protected by something called a "sandbox" that forms a barrier between the applet and the rest of the user's system. An ActiveX control can read and write to the hard disk drive, a function that has many legimitate purposes but can also be used to install viruses or erase files.
Microsoft has established a security system called Authenticode that checks to see whether a control bears a digital signature so that the author of a malicious control can be tracked down by law enforcement authorities. The Outer Limits control did have a digital signature attached to it, so, in theory at least, McLain could be prosecuted for creating the control.
Cornelius Willis, director of platform marketing at Microsoft, said he was not surprised by Sun's demonstration, saying it was "consistent with their etiquette."
But he pointed out that Sun's rhetoric may backfire as Sun begins to open up the Java sandbox. Sun's new Java Development Kit 1.1 allows applets to bypass the sandbox for specific functions. That means that Java users may face some of the same security problems that now plague ActiveX.
"We acknowledge that there is no sandbox around ActiveX," Willis said. "Users have to decide whether they trust someone. Java users are going to be in the exact same position with JDK 1.1. Fred McLain is clearly not an author that anyone can trust."
Maclain said that he had not tried to create a malicious control with the new JDK but that he might do so eventually. "If I could do the same thing in Java, I'll do it."