ActiveX

[Thanh Tung Truong <tung.truong@e-technik.tu-chemnitz.de>]

Hi all:

I just found an interesting article about ActiveX. Below is the section 
about the security issue. The whole Acrobat Reader’s file can be 
downloaded from http://www.cutter.com/ads/adssamp.htm.

Enjoy,
Thanh-Tung Truong

====================

++The security issue++
 
For people building Internet-based systems that int-eract with the 
external marketplace, security is obvi-ously a relevant issue; and for 
those building electronic
commerce systems, it’s obviously a key issue. But for intranet-based 
applications, security may be interpret-ed as the “usual stuff” 
concerning passwords and pro-tection of database records.
Thus, the question of whether security features rep-resent a strength or 
a weakness for ActiveX is a rela-tive one; perhaps more important, it’s a 
dynamic one, as the tools, technologies, and strategies for Internet 
security are changing on an almost daily basis. Thus, if I had to make a 
tactical choice between ActiveX or Java for a project today, I might or 
might not be satis-fied with the approach taken by ActiveX; but if I were 
making a long-term strategic decision about what kind of Internet-based 
component technology I want my company to use for the next several years, 
I wouldn’t be so concerned about the differences that exist between the 
two approaches — for they may well merge into a common approach.
As things stand today, there are differences; as mentioned earlier, Java 
relies on “built-in” security when an applet is loaded into the client 
Web browser; ActiveX relies more on a digital signature to authenti-cate 
the component’s author and the fact that the com-ponent hasn’t been 
modified during transmission. However, the current ActiveX strategy does 
not elimi-nate the possibility of the component’s author insert-ing a 
virus (or various other forms of “rogue” behav-ior), nor does it 
eliminate that possibility that a hacker may have altered the component 
after it was devel-oped, but before it was transmitted across the 
Internet.
On the other hand, there is no widespread agree-ment yet that Java’s 
security approach is foolproof either. A few months ago, it became 
apparent that a hacker could construct a “legal” Java applet that could 
be downloaded into a client Web browser (and thus inside whatever 
“firewall” the organization might have constructed), after which point it 
could (a) read direc-tories and scan the machines on the network inside 
the firewall, and (b) compose and transmit e-mail mes-sages (perhaps 
containing information about what it found) back across the firewall. Not 
only that, a Java applet can go into an infinite loop and thus cause a 
“denial of service” attack on the client machine.
While these two Java problems may well have been solved by now, I suspect 
that there will be others; after all, Java is only a year old, and we’re 
just now begin-ning to build “serious” Java applications on the Internet. 
Similarly, ActiveX is so new that many parts of it don’t even exist in an 
official capacity, and it’s almost inevitable that various security 
problems will emerge over the next year. But while all of this is going 
on, Microsoft has been very active and aggres-sive about working with 
various banks and credit card companies to provide industrial-strength 
encryption and security technology for electronic commerce applications 
on the Internet. I have no doubt that Microsoft will incorporate that 
technology into its ActiveX product offerings as the marketplace 
express-es a need and desire for such technology.

====================