Following on-line banking security breaches associated with an ActiveX control in Germany, Microsoft has announced an advisory programme on security issues surrounding not only ActiveX but all executable files on the Internet.
The programme will be Web-based and is available at www.microsoft.com/security/. Microsoft is also planning a round table to discuss strategies for meeting security requirements while still enabling rich functionality from downloadable code.
Part of Microsoft’s strategy is based around its Authenticode technology in IE 3.0 which will enable the tracing of code authors.
“The first step towards dealing with these risks is to educate yourself about them,” says Web security author Gary McGraw.
“Using untrusted executable content, including Java applets, ActiveX controls, and others presents considerable risks.”
Microsoft says no security programme is fool-proof, the issue is about managing and minimising risks and it is this that the new programme will address.
While Microsoft has been emphasising the across-the-board risks of executable code, Microsoft New Zealand’s marketing manager Steve Jenkins did concede this week that the “sandboxing” of Java applets did provide some protection absent from Microsoft’s ActiveX. He went on to say that this was at the expense of functionality.