Re: ActiveX

[Luong Ta <luong.ta@Singapore.Sun.COM>]

Hi all,
        Thanks Thanh-Tung for an interesting article.
        There are many other factors that the author fail to mention.
Although the article is well written, but it contains many misleading
information. I would like to quickly clarify some points. If you
need more information please ask.
First of all, Active X should be compared to Java Beans, not Java.
Both Java Beans and Active X are component based technologies and
are  distinctly different from each other. The underlying basis
for Java Beans are Java language and environment. Comes with
this is platform independent(bytecode) and inherent language
security, and many other goodies that come from the Java language.
Whereas Active X is the make-over of the old OLE technology that
was designed for stand alone desktop without preconceived 
security.

Java Beans and Active X approaches will not be merged together as
the author claim. Simply, because architecturally they are very
different. One is binary code, that is HW dependent, and the 
other is byte code(java), that is HW independent. For Active X
to be cross platforms, a Active X components=(which is binary)
has to be ported to different platform. Meaning, when you
design your component, only the platform you port your component
to will understand and execute the component call. Active X is
an attempt to extend the existing Microsoft technology to the
network. If I was Bill Gates I would do the samething because
who want to throw away one's own stuff.
Java Beans can  understand many different component
techologies including OpenDoc, LiveConect and Active X. Active X
is designed to understand Java Applets and not other technologies.

What is the advantage of Active X? Existing OLE which is
available in thousands can be used immediately. You can write
Active X control in any language(C++, Java, etc..) because
everything will end up being compiled to binary. This however
pose significant security and bug risks. C++ is notorious
for pointer and garbage collecting(memory leak) problems.
This is why Java in the first place!!

In summary. There is no way 2 technologies will merge, but
one can adapt the other in certain environments. Java Beans
definitely a more overall approach but is quite young. Active X,
coming from MS existing technologies, has an advantage in
terms of development but then fail to meet a number of network 
requirements, esp. security and cross-platform.

Let's talk Active X security if you are interested.
Recently, Intuit the largest financial SW has issued a press
release on warning its users about using Active X.
(http://www.news.com/News/Item/0,4,8015,00.ht). This
follows a German Hacker group demonstrated on TV that
they can transfer money from one account to the other
using Active X.
(http://www.iks-jena.de/mitarb/lutz/security/activex.pe.clari.html)


Check out this site for IFrame bug http://dec.dorm.umd.edu/
This bug allow ActiveX components to invoke programs
in the user's host.
Another security bug that allow one to use IE3.0 to
invoke an executable program on the user's computer.

Java itself may not be totally secured but under heavy
scutiny(everyone wants to be hero), only a few bugs
was found and ALL of them are at implementation level.
The real difference in terms of security is this: OLE
the underlying foundation of Active X was not designed with
security in mind, whereas Java was. You can't build security
out of a bad foundation. You can only patch it. I wish
Microsoft just admit it and go with the best technology
to save its followers billions of dollars. All its loses
is the monopoly situation:-). Java, as far
as I am concerned, belongs to the public now and nobody
can monopolize it.

Finally, I leave you with a comment from Yusuf Mehdi 
(yusufm@microsoft.com), the product manager for Microsoft's 
Internet Explorer. "On average, I think Java is safer than 
ActiveX."

Wow, this is long, unusual for me.

Luong