In September 1998, a group of political activists calling themselves Electronic Disturbance Theater attacked the Pentagon’s Web servers, the Frankfurt Stock Exchange and the Mexican president’s Web site. These incidents were among the first documented cases of a malicious Java applet worming its way into a network with the sole intention of causing disruption. The activists, armed with Java-enabled browsers, were able to deny other users access to the server simply by visiting one of the Web sites.

The security implications of this are deeply worrying. Thousands of organizations now use mobile code – applets that enable information to be stored and downloaded on different machines and networks – on their corporate and commercial Web sites. Market analysts at the Hurwitz Group recently estimated that 90% of sites devoted to e-commerce are written in the Java programming language; and analysts at the Gartner Group estimate that 80% of Web sites use some form of mobile code.

There’s no denying Java and ActiveX [Microsoft’s alternative approach] are useful for business, says Larry Bridwell, product development manager at the Malicious Mobile Code Consortium, a division of the International Computer Security Association (ICSA). But mobile code could be used more and more to bypass security.

Active content such as Java and ActiveX graphics are capable of being abused, concurs Dr Stephen Cobb, self-styled ethical hacker and director of education and research at Virginia-based security consultancy Miora Systems Consulting. But so far we’ve seen more theoretical demonstrations of the problem than actual problems.

While Bridwell admits there have been few documented attacks to date, he says it is nevertheless important to alert companies to the risk. He also says there may have been more instances of attack than have been reported. Many companies are reluctant to report the problem for fear of being seen to be lax about security issues, he says.

The key to Java’s security is a layer of software called the Java Virtual Machine (JVM). When a user downloads an applet, the JVM initially refuses the program access to the computer’s hard drive and network connections. At this stage, the applet is sitting in a ‘sandbox’ where it can do no damage. The applet can only leave the sandbox if the JVM verifies that the program comes from a trusted source.

However, problems can occur when there are flaws in the JVM implementation or in the Java Security Manager software which enforce these restrictions. For example, problems have been found in older versions of the Netscape and Microsoft browser software.

The risks from ActiveX controls are much higher. Unlike Java, ActiveX has no sandbox, and once an applet is downloaded it is free to do whatever the developer has stipulated, such as access or delete files, regardless of the user’s wishes. Microsoft’s stated policy on ActiveX is that users should only download ActiveX applets that come from reputable sources, but this is difficult as hackers often disguise malicious applets as harmless ‘downloadables’.

Penny Leavy, VP of worldwide marketing and business development at Israeli security software vendor Finjan Software Ltd, says the risks posed by applets and other forms of mobile code are great. Some firewalls come with Java security built in, but they can’t differentiate between benign and harmful applets so they either allow everything to come into the network or nothing at all, she says.

To help eliminate the risk, Finjan has devised two products: SurfinGate, which protects a network against hostile applets by scanning them for any traces of unusual activity at the gateway; and SurfinShield, which protects individual desktops from both Java applets and ActiveX controls by creating a user-definable sandbox for ActiveX while still offering protection against Java applets. Finjan also set up the Java Security Alliance in 1997, and persuaded most of the leading firewall vendors, including Network Associates Inc and Check Point Software Technologies, to integrate Finjan’s technology into their firewalls. Cisco Systems Inc now bundles Finjan’s SurfinGate with its PIX firewall.

In a complementary effort in November 1998, members of the ICSA created a common content inspection application programming interface (API) to make it easier to get firewalls, antivirus software, and Java and ActiveX security tools to work more closely together. Rather than creating a new API from scratch, the group is using existing APIs from Check Point, Finjan and Microsoft.

Although the creation of an industry standard API should eventually make the use of mobile code tracking software more prevalent, until then Bridwell urges extreme caution. Companies should ensure they have policies in place for getting people to make sure their browsers’ Java switch is turned off, he says. He also suggests that only plain-text email messages should be allowed to enter the network.

Meanwhile, Finjin has competition. eSafe, another Israeli company, has a product called Protect that places any code downloaded from a Web site into an isolated sandbox. From there, eSafe monitors the program, determines its intentions and prevents it from causing harm. And Digitivity, a small Cambridge, UK-based company, has taken a similar approach with its program which creates a proxy applet so that a potentially malicious piece of code can be run remotely or ‘caged’ outside the firewall. The company was acquired by thin client software specialist Citrix Systems Inc in June 1998.

This article originally appeared in our sister publication Computer Business Review.