View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
February 28, 1997updated 05 Sep 2016 12:33pm


By CBR Staff Writer

Highlighting the still-primitive nature of applet security over the Internet, German hackers Chaos Computer Club achieved their objective of fueling a slanging match between the fans of Java and ActiveX last week, following the Club’s demonstration on German television recently of an ActiveX control that inserts a transaction into Intuit Inc’s Quicken personal finance package running on a Windows 95 personal computer, sending money from your account to the hackers the next time around. Various Sun Microsystems Inc supporters took the opportunity to point out ActiveX’s lack of a sandbox – a secure software area within the operating system that prevents access to any hard disk – and also note that JavaSoft is promoting a combination of digital signatures and a sandbox. Microsoft Corp for its part reiterated its claim that sandboxes are impractical – users must have access to their hard disk to save documents, goes the thinking. ActiveX couldn’t use a sandbox because it requires calls to the Win32 application programming interface that resides on the hard disk. Microsoft doesn’t deny this, but insists Java would and does have the same problems. Microsoft responded with a Website explaining Authenticode, saying the Chaos control was not signed, so therefore it should not be used, which probably won’t reassure many users. It claims Internet Explorer 3.0 users are safe by default – the default being that they do not try and download unsigned code, but that malicious hackers can still cause damage to their systems. It also says that Internet Explorer 3.0 also employs a sandbox to protect users’ systems, but of course this has nothing to do with ActiveX – this is Microsoft’s Java VM at work. Microsoft’s general manager of developer relations Todd Neilsen reiterated the use of digital signatures, in particular Microsoft’s Authenticode system as the only genuine way of ensuring rogue applets don’t get access to your system – a bit like letting a heavily armed stranger into your house and then complaining to the police that he tied you up and stole your video recorder, he said. It works by way of an electronic stamp the software publishers put on the software so the user can identify it. The US version of Quicken is not susceptible to the problem exposed by the Chaos cabal as it only accepts payments to pre-authorized accounts.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.