Highlighting the still-primitive nature of applet security over the Internet, German hackers Chaos Computer Club achieved their objective of fueling a slanging match between the fans of Java and ActiveX last week, following the Club’s demonstration on German television recently of an ActiveX control that inserts a transaction into Intuit Inc’s Quicken personal finance package running on a Windows 95 personal computer, sending money from your account to the hackers the next time around. Various Sun Microsystems Inc supporters took the opportunity to point out ActiveX’s lack of a sandbox – a secure software area within the operating system that prevents access to any hard disk – and also note that JavaSoft is promoting a combination of digital signatures and a sandbox. Microsoft Corp for its part reiterated its claim that sandboxes are impractical – users must have access to their hard disk to save documents, goes the thinking. ActiveX couldn’t use a sandbox because it requires calls to the Win32 application programming interface that resides on the hard disk. Microsoft doesn’t deny this, but insists Java would and does have the same problems. Microsoft responded with a Website explaining Authenticode, saying the Chaos control was not signed, so therefore it should not be used, which probably won’t reassure many users. It claims Internet Explorer 3.0 users are safe by default – the default being that they do not try and download unsigned code, but that malicious hackers can still cause damage to their systems. It also says that Internet Explorer 3.0 also employs a sandbox to protect users’ systems, but of course this has nothing to do with ActiveX – this is Microsoft’s Java VM at work. Microsoft’s general manager of developer relations Todd Neilsen reiterated the use of digital signatures, in particular Microsoft’s Authenticode system as the only genuine way of ensuring rogue applets don’t get access to your system – a bit like letting a heavily armed stranger into your house and then complaining to the police that he tied you up and stole your video recorder, he said. It works by way of an electronic stamp the software publishers put on the software so the user can identify it. The US version of Quicken is not susceptible to the problem exposed by the Chaos cabal as it only accepts payments to pre-authorized accounts.
Content from our partners
