The International Computer Security Association (ICSA) has formed a Malicious Mobile Code Consortium to address the threat of hostile ActiveX controls and Java applets. The list of charter members is an A to Z of anti-virus and intrusion detection companies, including Advanced Computer Research, Axent, CA, Cybermedia, Digitivity, Dr Solomon’s, eSafe, Finjan, Internet Security Systems, Quarterdeck, Security-7, Symantec and Trend Micro, with more companies expected to join. At first glance it seems a little unfair to lump carefully sandboxed Java, designed to wreak no harm, with the nightmarish security free-for-all that is ActiveX. Product development manager Larry Bridwell argues: Even with the sandbox, – and we want it to be known that we think Sun has done an excellent job in considering security – there is occasionally a chink in Java’s armor. Experts beg to differ. As far as I know, there have been no legitimate reports of Java viruses written in the wild, says Rob Rosenberger, webmaster of the Computer Virus Myths home page. On the other hand, it’s beautifully easy to do it in ActiveX. Rosenberger cites Princeton computer scientist Ed Felten, founder of the Secure Internet Programming Laboratory, who says he’s never bothered to test the security of ActiveX. He says he’d just have to write one virus in it and they’d be done. ActiveX is child’s play. The problem is one of perception: People see Java and ActiveX as two ways to get stuff on the internet, Rosenberger explains, you’re talking about apples and oranges, but people only see fruit. Java poses a theoretical threat. ActiveX is an actual threat. While Bridwell concedes that there have been no documented cases of security breaches via Java, he says he believes such attacks are on their way. It almost appears that we are in the infancy of malicious mobile code, just as in the late eighties we saw the infancy of viruses written in auto-executable code, he contends. The problem is that you have increased connectivity and much larger numbers of people. Even if viruses do start getting written in Java, how much real harm are they likely to do? Most current viruses – Word macros, for example – are easily trapped and prevented, causing little more than a nuisance. Bridwell, however, says the problem is one of scale: Our survey shows that something that doesn’t cause actual physical damage to data can still cause thousands of dollars in downtime and associated costs, he says. The ICSA surveyed IT managers at 300 organizations, each with a minimum of 500 computers, two LANs and two remote connections. A single virus attack costs these companies an average of $8,000; in two instances, an attack cost more than $100,000. Maybe there is a role for the consortium after all.
