Last modified: March 6, 1997 3:30 PM PST
Microsoft security flaws run deep
In a little more than a year, the software giant has succeeded in becoming an Internet leader, rapidly embracing the Internet with several of its existing desktop technologies, including the Windows 95 and NT operating systems and its component object model (COM).
But a growing number of security experts are questioning whether such a radical makeover of its technologies--technologies that were not originally designed to work on the Internet--has forced the company to compromise the security of its products. In fact, they say, Microsoft's desktop legacy might bring with it certain liabilities.
The questions stem from a recent spate of security incidents involving the company's Internet Explorer Web browser and ActiveX. Although the incidents centered around different features of the browser, they can all be traced to fundamental Windows technologies created before Microsoft moved to adapt to the Internet.
One of those technologies, ActiveX, is increasingly coming under fire for its security problems. ActiveX is a component architecture that allows miniature programs written in programming languages such as C and C++ to run inside of ActiveX "containers" such as Explorer 3.0. The technology was created last year using the underpinnings of a five-year-old object technology, COM.
While Java programs are blocked off from the rest of the desktop by a security "sandbox," ActiveX controls are free to roam a user's computer, erasing files or installing viruses if they please. (ActiveX controls can also be written in Java, but then they sacrifice Java's security features.)
Instead of a sandbox, Explorer relies for security on what Microsoft calls an Authenticode system. Authenticode checks to see whether ActiveX controls have been digitally signed by a "trusted" publisher and issues warnings to users each time the browser encounters an unrecognized piece of code. If the user ignores the warning, all bets are off.
"It is analogous to saying that license plates prevent accidents or malicious damage," said Eric Brewer, a computer science professor at U.C. Berkeley. "Just as you can find your car dented in the parking lot, you may find your machine or privacy damaged after the fact without being able to tie it to a particular control, certified or not."
Microsoft tenaciously defends its trust-based security model. But executives do admit that it's not technically possible for them to put a sandbox around native C and C++ ActiveX controls.
"The sandbox and native [code] are [antithetical]," said Cornelius Willis, director of platform marketing at Microsoft. "If you put a sandbox around them, you would eliminate the reasons why people want to use them."
Those reasons, Willis argues, involve giving developers access to a greater range of capabilities on users' PCs than is possible with Java. But analysts say the security risk of this approach may outweigh the benefits of richer, more powerful ActiveX programs. Furthermore, because Microsoft has revamped its older COM technology to work over the Internet, analysts say the company is caught in a bind.
"It is, in fact, the flip side of the maturity of ActiveX that is giving Microsoft this exposure," said Stan Dolberg, director of software services for Forrester Research.
One developer who worked on the original Java team at Sun echoed those sentiments, arguing that the richness of ActiveX programs are not worth the security risks.
"Microsoft has an enormous amount of legacy code," said Arthur Van Hoff, chief technology officer at Marimba and one of the original Java developers at Sun. "How are you going to fit security onto that? Realistically, there's no way to do that. Java is really the right way to do security.
"Java is a much harder sell [than ActiveX]," he added. "It makes huge assumptions that people are willing to throw out existing code. But if you do that, you have a secure system."
Microsoft is scrambling to fill the security holes as they materialize.
