ActiveX Security: Under the Microscope
by Jeremy Carl
Java's security has come under close scrutiny over the past few months, generally for obscure holes in Netscape's implementation. Now, given Netscape's recent announcement that it will adopt ActiveX in its products, the developer community is taking a look at the security framework for Microsoft's component model. And it's not always liking what it sees.
"What security?" asked Fred McLain, author of the ActiveX Exploder control, an infamous invention designed to show the security weaknesses in ActiveX's security framework. The control, which McLain removed from his site following a legal threat from security vendor VeriSign Inc., shut down some users' machines automatically by activating the energy-saving feature in certain BIOSes. McLain said he could have designed the control to do something much more malicious.
Microsoft's approach to security is fundamentally different from that taken by Sun Microsystems' Java. Java uses "sandboxing," meaning that a Java application executes in a protected memory area. Critical areas such as the file system or the boot sector are strictly off-limits. Theoreticaly, this makes it impossible for applets built in Java to damage a computer or its contents. It also walls applets off from working with other applications or piggybacking on system services, and it forces users to download an applet every time they want to use it.
ActiveX, meanwhile, has no such restrictions, allowing controls to reside on a system and use its resources, but they can also write to the local hard disk, potentially even wiping out all of a user's data.
For security, Microsoft relies on digital signature technology from VeriSign, a joint venture between Visa International and RSA Data Security Inc. The signature, called a certificate, is wrapped around a control before it is placed on the network. These signatures identify the source of the control.
Microsoft's Authenticode technology, built into Internet Explorer, verifies the signature with a certificate authority and ensures that it has not been altered before a download takes place. Authenticode, in the default setting, will not allow an unsigned control to be downloaded. However, users can change this option to allow unsigned controls to download with a warning.
Microsoft's product manager for Internet security John Browne said he recommends that users not download any ActiveX controls that are not digitally signed, though he acknowledged that this practice is not yet widely observed.
"When PCs started out, people were putting floppy disks on their refrigerators with a magnet, stapling disks together, and not backing up files," Browne said. "Gradually, people caught on. They adopted [other] practices, and the same thing will happen on the Internet."
Precisely when it will happen is more of a question. And in any event, there is significant doubt among some developers that authentication will prove a panacea.
"With ActiveX, the idea is you've got a controlled network, but part of the appeal of the Internet is that it's not controlled--not everyone is going to register with a central authority," said David Koosis, technical director of ISC Consultants in New York City. Still, he added, "I probably wouldn't download ActiveX controls on a system I couldn't afford to crash."
WHO'S BEHIND A SIGNATURE?
McLain, author of the machine-crashing control, seemed to support that point of view. He also suggested that very little stands in the way of falsifying identity when applying for a signature when security comes in several levels. "For a personal digital signature, all they have is a credit card number, which is really trivial to hide behind," he said.
At Microsoft, Browne and security product manager Christine Chang said that Authenticode requires a more extensive background check to certify any party as a legitimate distributor of controls. They pointed out that would-be distributors must pay VeriSign a $400 fee and pass a check by Dun and Bradstreet in order to qualify.
Reprinted from Web Week, Volume 2, Issue 17, November 4, 1996 © Mecklermedia Corp.All rights reserved.