When ActiveX arrived a year ago, Microsoft Corp claimed it was better than Java because it allowed a richer, more fulfilling computing experience. It’s certainly true that ActiveX can be rich. This richness comes at a price, however. Java throws out most of the babies with the bathwater – applets run in a ‘sandbox’, and are supervised by a security manager, but can’t do simple and useful things like save and print your work. ActiveX tries to retain the babies, but keeps most of the bathwater too. ActiveX applets, or ‘controls’, are basically allowed to do whatever the developer decides they should be able to. Instead of limiting the behavior of the code, Microsoft employs a code- signing mechanism that’s supposed to limit the behavior of the developer. Called Authenticode, it’s designed to let the user identify who the developer is, and whether their work has been tampered with. This, Microsoft believes, will be sufficient to discourage the emergence of antisocial controls.
By Lem Bingley
If a user visits a Web page that needs a new control, an Authenticode browser like Microsoft’s Internet Explorer will check to see if the control has been signed before downloading it. Explorer provides three security settings which will govern what happens next. If the browser is set at ‘high’ security, controls without a valid signature simply won’t download. The user is protected from harm, or his own stupidity, by being given no opportunity to over-ride the security check. If security is set to ‘medium’, a dialog box appears and an unsigned control is installed and run only if the user clicks ‘yes’ to accept it. If security is set at ‘none’, however, the control simply downloads and executes silently, whether signed or not. As long as the highest security setting is maintained, the computer won’t download what hasn’t been signed. Once a control is installed, it is considered safe even if it was not signed originally.
First wipe your system
So if you’ve used Internet Explorer with security set at ‘none’ or ‘medium’, and are considering switching to ‘high’, there’s little point unless you first wipe your system and start again. To sign a control, a developer must first obtain a certificate from a trusted authority such as VeriSign Inc. VeriSign certificates for individual developers cost $20 per year and require a verifiable name, address, electronic-mail address, date of birth, and social security number. Certificates for companies cost $400 per year and require a Dun-and-Bradstreet rating in addition to a verifiable company name, location, and contact details. When signed, controls can be marked as safe for initialization, safe for scripting, or safe for both. Initialization means starting up the control and specifying start-values. An animation of a bouncing ball, say, might be initialized to show seven red balls. Scripting is used for more complex situations – telling the animation to change the color and number of balls in a pre-defined order, say. Without either, the control will run with its default values. While it’s hard to do any damage with a bouncing ball, very few ActiveX controls are so frivolous. Many ActiveX controls manipulate files on the hard- disk. The danger is that by providing unexpected values through a script or by initialization, a signed control might be subverted to do something nasty. It’s up to the developer to decide whether the control is safe. Contrary to popular opinion Microsoft runs no certification schemes to stamp developers as competent to make this judgement. It doesn’t check out third-party controls itself, either. The signatures and markings stay with the controls, not with the Web pages from which they arrive. There is currently no way to mark a control as safe only within certain Web pages. So when a developer marks a control as safe, he is marking it as safe in all possible Web pages. The developer must therefore put a lot of effort into second-guessing hackers. Fundamentally, Authenticode is about ensuring accountability – not security. According to some observers, like Edward Felten, an assistant Professor in the department of Computer Science at Princeton University, and co-author of the recent book, Java Security: Hostile Applets, Holes, & Antidotes, Authenticode fails to provide even this. Suppose I accept a download signed by X, suggested Felten in a recent submission to The Risks Digest, a moderated Usenet forum devoted to the risks posed by computer systems. A few seconds later there is some mysterious network traffic and my disk gets wiped clean. X could be the culprit. Or X could be innocent – code I downloaded from Y three days ago could have waited before detonating. I have no evidence to distinguish these cases – it all disappeared when my disk was erased. Signatures can provide accountability, but only with more rigorous logging and auditing than today’s consumer software provides. Microsoft’s response is that Authenticode makes Internet software just as secure, or insecure, as shrink-wrapped software. The Authenticode system is based on trust, and many consumers will be happy to trust only big, familiar names. Like Microsoft. However, Felten believes that trust is difficult to maintain with Authenticode. There have been incidents of reputable and well-meaning organizations spreading viruses or serving as the base for security attacks, he observes. Last month, Singaporean programmer Tea Vui Huang used a downloadable Windows 95 utility, used when installing software, to change Explorer’s settings. The user must be foolish enough to download and run this item. If the user is foolish, Authenticode is disabled and no dialog explains that the security level has changed to ‘none’.
Pretty indifferent to it
Microsoft was the first place I contacted [about this, and it was] pretty indifferent to it, Huang told Software Futures. Microsoft confirmed that it thinks Huang’s attack is not a security issue at all because the user is warned at the start that the file could be dangerous. This example will probably only serve to strengthen the widespread notion that while Java applets are completely harmless, ActiveX controls are completely beyond control. This interpretation is untrue in both respects. When Java was launched in mid-1995, various network security experts were wheeled out to explain that everything that could be done to make Java safe had been done, short of scrapping all existing operating systems. The current Java Developers Kit, JDK 1.1, provides Java archive files, JARs, which currently are treated more like ActiveX controls than Java applets. The applet viewer allows any downloaded applets in JAR files signed by a trusted entity to run with the same full rights as local applications, says JavaSoft’s documentation for JDK 1.1 The basic problem that Java and Authenticode both try to solve lies with the systems on which they’re expected to run. Operating systems like Windows 95 were not designed to connect to the Internet. Authenticode adds some security while preserving investment in languages and object models. Java is an attempt to add security while junking existing languages and object models. Authenticode is cheaper, but less trustworthy. It will probably find many takers because people tend to adopt the cheapest option until forced to reassess the balance of risk against cost. The question is, with the growth of online commerce, will the biggest profits be made by Microsoft, or the hackers?
This article is taken from the April edition of Software Futures.