"...within the wooden horse, wherein all
the bravest of the Argives were lying in wait
to bring death and destruction upon the Trojans."  - Homer "The Odyssey"

In considering the security dangers raised by the specter of Microsoft's ActiveX Internet technology, I racked my brain looking for a good analogy through which I might illustrate the common Internet user's hazard. After several fruitless hours and feeling my creative fount had gone dry, I gave up and decided to anesthetize myself with that great national opium, Television.

Much to my surprise, it provided the perfect example: The television special of Homer's Odyssey. For those of you who's Greek mythological history is long lost, Odysseus was a hero of the Trojan Wars, in which his city of Ithaca battled the city of Troy and, after 10 inconclusive years, built a giant wooden horse as a tribute to the Trojans and then pretended to sail away. The Trojans foolishly took the giant horse into their city as a war trophy, not knowing that Odysseus and some hand picked soldiers were stowed away in it's belly. When night fell, Odysseus and his band opened the city doors to admit their fellows and they all burned Troy to the ground.

That, in a nutshell, is what is wrong with ActiveX. While a "trojan horse" is most commonly a reference to a virus, I couldn't resist comparison, apt as it is. Perhaps it is so apt that ActiveX could be billed as "The most globally sold potential virus in history."

ActiveX is the classic case of a good idea taken to ridiculous and hazardous extremes. Back in the heady days of Windows 3.0 and following, a new type of object oriented automation came out called Object Linking and Embedding or OLE. OLE was mighty slick, because it let you do exceedingly cool stuff like grab a hunk of text and DRAG and DROP it onto another document. Word processors (the people) thought they had died and gone to heaven, and the Spreadsheet people needed wet packs and rubber rooms they were so excited.

The way OLE did its thing was simple: you waved your arm up front (the drag and drop action) and it took care of all of the messy file manipulation in the background. OLE controls were C++ programs that extended the capacities of your Operating System (OS) and Applications. This brought out a whole new way of dealing with the interface, because programs (even ones from different manufacturers) could pass data back and forth amongst themselves, even making hooks to data that wasn't actually theirs. That was OK, because you had to tell it to do so. For instance, if I "link" a graphic in a Word document, I don't actually make the graphic part of the document, I just leave instructions for where to get the graphic when I need it. This is different than "embedding" an object (graphic, sound file, spreadsheet, etc.) in a document so that the graphic gets carried around "inside" the document file which can be viewed anywhere with all of its associated graphics "embedded" in it. This was a complete boon to desktop publishers and business people everywhere. If you had a pretty graphic as your letterhead, everywhere that file went, the embedded graphic went with it.

The danger comes when we see what has been done to poor OLE. To really understand how reckless Microsoft has been, we need to compare ActiveX with Java. Last month, we looked at how the Java Virtual Machine (VM) that Java applications run in keeps a rogue piece of programming from turning your system into a bookend by not permitting them to directly make system level calls to the OS. If a Java app wants local system resources, it must request them through the VM which won't let any funny business go on, not unlike a watchful Dad on his daughter's prom night.

The reason that Java is so secure is because Sun Microsystems developed Java with Internet architecture in mind. Security is built into Java the same way that brain damage is built into Boxing; it permeates every nook and cranny of its existence.

By contrast, ActiveX reminds me mightily of an axiom in vampire mythology: Don't EVER invite a vampire into your house. Once you do, you are powerless. ActiveX technology has no Virtual Machine to constrain it; it runs completely free on your system once it is in the front door. An ActiveX control is merely a Windows program that you can download from the web and, as such, is capable of doing ANYTHING a regular Windows program can do. (Has your spine gone cold yet?)

Follow the process: You surf to a site that offers you an ActiveX component to view their content. Your Browser shows you the digital signature on the component and, anxious to get to the main course, you quickly accept it without looking it over. When the ActiveX control is downloaded, it executes and does whatever it was programmed to do without ever giving you another opportunity to halt it. That could be displaying some really cool graphics on the web page, or it could be copying your OS Registry Key names back to its creator. (The Registry is like the DNA for your OS: every program you have ever installed has inscribed itself there. This is like a list of every company you have ever owned stock in.)

Microsoft's limp defense of the open Pandora's Box that ActiveX represents is that the controls are digitally signed by their creator so if something goes wrong, you can track down the programmer who wrote the malicious application. I thought this was particularly funny, in light of the fact that the digital signature would likely be one of the pieces of data to die in the firestorm of your hard drive getting its head blown off, should the ActiveX control whimsically decide to do so. No trail of bread crumbs. Do you make a backup every time you log onto the 'net?

This homicidal possibility so rightly scared the tar out of most industry insiders that ActiveX is looked on suspiciously by the vast majority of net-savvy users. "ActiveX scares me to death", said Mason Rotelli, senior VP of IS at Anixter Inc. Consultant Fred McLain was so disturbed about this he put up a web site at http://www.halcyon.com/mclain/ActiveX/ that he balefully titled "ActiveX, Or how to put Nuclear Bombs on Web pages." He has written a non-violent demonstration that shows how ActiveX can make system calls by invoking the Windows95 "shutdown" system command. Ten seconds after you get to the page, your computer shuts itself down. The first time I tried this, it gave me creeping horrors because Windows95 could have just as easily been told to email the author my physical address (which is set as my default in MS Word) or just flat out wipe the drive. Curtain. No Flowers.

When confronted with such an overwhelming tsunami of vocal grievances, Microsoft pandered like a politician: It is the user's responsibility to say yea or nay to an ActiveX control that they are downloading, based on whether they trust the source for the control as stated in the digital signature certificate. Of course, you don't know if that control is packing a bazooka in its back pocket until after it has crossed the threshold of your electronic habitat. Then it is too late.

Microsoft suggested users set their security to high...which doesn't really change a thing. This only prevents unsigned control from being downloaded. The forged digital signature (or the legitimate one!) will still run unfettered when you give it entree to your machine over the wire.

Now that I have gone through a real tirade concerning ActiveX, I do have several proactive suggestions every user can take to both reduce their risk and improve over all Web security.

1. If you are using Internet Explorer 3 as your browser, disable all ActiveX content permissions on the Security tab under View / Options. This means any site with ActiveX controls on it won't look right or won't even load. That leads us to...

2. Email the Webmaster at any site you go to that runs ActiveX. If you take the time to email them with your specifically stated concerns, it WILL get their attention.

3. Encourage the use of Java Applications and Applets by complimenting Webmasters who use Java or Java derived apps on their site. Remember the old saw about the number of flies you attract with honey? Positive feedback works best in concert with Negative feedback. Be balanced.

While I think Microsoft is out to lunch over ActiveX, I still remain a strong supporter of their browser, Internet Explorer 3. It's interface is much more intuitive, and its parsing (interpreting) of HTML is much more regular and less bizarre than Netscape's. Also, IE still has the best support for Java, beating Netscape Navigator and Communicator hands down: Microsoft may be arrogant, monopolistic and cut-throat, but it is not stupid. Java is going to bury ActiveX: Why else do you think Microsoft Internet Explorer 3 runs Java so well?

Peace,

Webwalker