From Risks

Dan Kohn (dan@teledesic.com)
Thu, 21 Nov 1996 13:34:11 -0800


Date: Sat, 16 Nov 1996 13:28:40 -0500
From: "Simson L. Garfinkel" <simsong@vineyard.net>
Subject: Risks of ActiveX

Although people who care about computer security are concerned about
ActiveX, the problems are likely to grow in the coming months and years.
That's because ActiveX is key to Microsoft's long-term strategy of
eliminating the distinction between information stored on desktop
computers
and information stored on the network.

I have had numerous conversations with Microsoft employees about ActiveX
over the past six months. In summer 1996, I was told that the security
problems would be solved by code-signing. This fall, I was told that
code-signing doesn't solve the security problem, but does provide
accountability. Now I'm told that it doesn't really give you
accountability
either, but it does give you integrity for the downloaded applets and,
anyway, code signing is import for its own right. Besides, says
Microsoft
folks, the dangers in ActiveX controls are no different than the dangers
that are found in downloading any program from the Internet.

The real reason that code signing does not promote authentication, of
course, is that truly malicious ActiveX components won't tell you that
they
are maliciously modifying your operating system. In fact, they'll try to
make the modifications as quietly as possible. Or they might engage in a
two-pronged attack. For example, one ActiveX control could change
Internet
Explorer's ActiveX security level so that you would run unsigned
applets;
later, a second control could do the real damage.

On Wednesday, November 20th, my column on HotWired's "Packet" channel
will
go into the ActiveX security problem in some detail. If you wish to read
it, just check out http://www.packet.com/garfinkel. It's free.

Simson Garfinkel