Microsoft in damage control mode
Copyright © 1997 to 7am News
Microsoft has switched into "damage control" mode in the wake
of recent revelations that ActiveX controls might mess with
your bank account. A German hacker group has already demonstrated
a control that has the ability so interact with Intuit's software
so as to perform unauthorised transactions.
In an email addressed to "Internet Users Everywhere", Microsoft claim that MSIE 3.0 has the appropriate safeguards to protect against this kind of threat. It claims that when used at its default security level, MSIE will not download and execute any unsigned ActiveX control, such as the one recently highlighted in the media.
Microsoft go on to say that the same level of threat exists from any other browser and that malicious code can be written and disguised in many ways, including through the use of application macros, Java applets, Navigator plug-ins, Macintosh applications and more.
Unfortunately Microsoft appear to still be unwilling to concede that the ActiveX model simply doesn't have the same levels of safeguards offered by the "sandbox" method used by Java applets. Informed observers are of the opinion that ActiveX is fine for intranet environments where security is more easily controlled, but that it is simply too dangerous for use in the somewhat more hostile world of the Internet.
It could be argued that the use of ActiveX is somewhat akin to giving someone a loaded gun along with the message "don't shoot yourself". This will work fine for most users, but there will be fatalities because people make mistakes. By contrast, Java applets are analogous to a gun loaded with blanks - you might give yourself a few powder burns - but it's very difficult to kill yourself with it.
Back to Aardvark Daily...