The security of Microsoft's ActiveX Internet component technology has been called into question, following the success of a group of German hackers in breaking into financial programs through ActiveX controls.
On German television, the Chaos Computer Club showed off their ability to steal money from one bank account and transfer it to another. The hackers used an ActiveX control they had written downloaded onto a PC running Intuit's Quicken home finance software to move money around, bypassing all security measures. The same technique could potentially be used on any other application that employs ActiveX technology.
Detractors claim the club has proved what they knew all along: that ActiveX is less secure than Java because it allows users to write directly to the file system. Java applets run inside the Java Virtual Machine. Sometimes called a sandbox, this effectively forms a security layer that protects the underlying file system from modification, preventing access to the local hard drive.
ActiveX uses a different mechanism, based on a digital signature. By default, Internet Explorer 3.0 will warn users not to download a control without a valid signature, but if users do choose to download such a control they could unwittingly find themselves the victims of a financial scam, such as the German hackers committed, or a virus attack.
Microsoft argues that such attacks can be stopped by enforcing a system of signature authentication on all Web applets. "This is a demonstration of what an unsigned control can do on a PC," said Jeremy Gittens, Internet platforms marketing manager at Microsoft UK. "Signing should apply to every application that hits the desktop."
But Sam Sethi, product manager at Netscape UK, rubbished this advise.
"The fundamental problem is that ActiveX can write to a hard disk without asking," he said. "That means ActiveX is intrinsically insecure."
Ken Fraser, principal analyst at Dataquest, agreed. "There is a greater risk associated with using ActiveX than using Java," he said. "Users need to understand what they are using, and be aware of the possible consequences of downloading programs to run on their PCs."
The most luminous galaxy ever discovered is cannibalising at least three of its smaller neighbours, study finds
The galaxy radiates at 350 trillion times the luminosity of the Sun
Researchers modify genetic code of cancer-killing virus so it can target cells that protect cancer from immune system
Changing the genetic coding causes the infected cancer cells to produce a protein that kills the fibroblast cells that protect cancer
The findings can help improve the current understanding of brain development disorders, such as epilepsy or autism
Dubbed HD186302, the solar twin is located about 184 light-years from Earth