It didn't take Fred McLain long to write his "Internet Exploder" ActiveX control using Microsoft's software, but it may take a bit longer for Microsoft to shake the security issues raised by McLain's ActiveX control. Back in June, McLain posted the Internet Exploder, an ActiveX control, on his Web site. The Exploder control loads to the visitor's computer if it is running Windows 95 and Internet Explorer 3.0 and promptly shuts the machine down.
"It took me less than a day to write that control," says McLain, CEO of the Bothell, Washington-based Appropos. "It is totally benign, but the Exploder is a demonstration of something that is very dangerous."
McLain's software demonstrates an ActiveX control's capability to access any part of a computer. Microsoft officials point out that McLain is not demonstrating a new technology or a new danger only associated with ActiveX technologies. "This is an old problem that used to affect a few people," says John Browne, product manager of the Internet commerce group at Microsoft. "Now because of the Internet, it affects a lot of people. Downloading stuff over open networks has always been dangerous."
According to Browne, not only is the problem an old one, but other Internet vendors are doing even less than Microsoft to solve it. "You have the same problem when you download Netscape plug-ins," Browne says. "We are actually doing something about it, but Netscape hasn't done squat."
Netscape officials say they are working on the problem. "We're looking at providing secure components within the Galileo time frame," says Edith Gong, Navigator product manager at Netscape.
Microsoft instituted AuthentiCode, a code-signing security measure that will let developers obtain a certificate for their codes. It will be displayed to a user before the ActiveX or Java applet is downloaded to an Internet Explorer browser. The idea behind AuthentiCode, Browne says, is to leave a trail of accountability to anyone writing malicious code. "AuthentiCode is a step in the right direction," Browne says.
After McLain contacted Microsoft about the security problems raised by Exploder, Microsoft posted a notice on its Web site stating that AuthentiCode would be an answer to such problems. Certificates are not the answer, McLain says. "What if you wrote a control that erased someone's disk?" McLain says. "It would erase any digital certificate as well."
"This is a huge Pandora's box," says Ira Machefsky, an industry analyst with the Santa Clara, California-based Giga Information Group. Machefsky dismisses the code-signing initiative as a solution to the problem. "Having something signed does not protect you from anything," Machefsky says. "Just because a cheque is signed doesn't mean there is money in the account."