Last modified: February 19, 1998 4:00 AM PST
A question of safety
Instead of a security-based model, ActiveX relies on a trust model in which signatures allow users to judge whether to download an ActiveX control. If the control is signed by Microsoft, one may be inclined to believe that it is not designed maliciously to reformat your hard drive, for example. If the control is signed by an unknown entity, or if it is unsigned, one may find it too risky to download.
The lack of security with ActiveX has caused many corporations to shy away from the technology. Some decline to use it in their Web sites or in the Web site software they sell. Many find it an acceptable technology within their intranets, where the risk of encountering malicious executables is lower than on the Internet; others won't use the technology even internally. Many disable their employees' browsers from downloading any kind of active content from the Web--ActiveX, Java, or otherwise.
The blessing and the curse of ActiveX technology is its power. An ActiveX control is capable of interacting with anything on the desktop of a computer to which it is downloaded. That capability is at the heart of the technology's controversial nature and the classic technological trade-off between functionality and security.
"There's nothing wrong with ActiveX as long as you trust completely the guy who wrote it," says research scientist Gary McGraw of Reliable Software Technologies. "But it's like leaving your office to go to lunch and running into some guy who says he'd really like to use your computer for the next hour, and letting him sit and do whatever he likes while you're away. But as far as running trusted code, it's a very powerful and useful technology."
The alternative to the trust model is the so-called sandbox model, employed by Java, which lets the downloaded application interact in a limited way with the host computer. Most analysts find Java, which unlike ActiveX is compatible across all platforms, a more secure though less powerful method of delivering active content. According to McGraw, the sandbox and trust models are likely to merge in future active content technologies.
How much have security concerns hindered ActiveX? That depends on whom you ask.
"Security issues haven't hindered development at all," according to CheckPoint Technologies president Rebecca Bailey. But Bailey acknowledges that security concerns have limited the deployment of the technology, especially in larger corporations that disallow ActiveX controls from being downloaded.
CNET's ACTIVEX.COM site has been enjoying what its editors describe as brisk submissions of ActiveX controls at an average of more than seven per day.
Apart from malicious attacks, Bailey sees a vexing security problem with ActiveX and other executables in the packages in which they normally travel. Cabinet or "cab" files carry not only the controls but also the dependent files, such as DLL files, that the control requires to run. If the cab file is not written properly, it may write over more recent versions of those dependent files that already exist on the computer, wreaking havoc for users dependent on the latest release of various software applications.
Bailey estimated that as many as a quarter of cab files she encounters are improperly written in this way.
Whether the threat comes from malice or negligence, corporations are not giving ActiveX the benefit of the doubt. In addition to the actual security problems posed by the technology, there is the significant problem of the public's perception of ActiveX as a security hazard.
"ActiveX security is a problem from the point of view of the user with the Web browser, not from the point of view of the server," noted Win Treese, director of security for Internet commerce software provider OpenMarket. "The question on the server side becomes: Would your end users trust a system that uses ActiveX controls? A lot of people will, but a lot will hear there are issues with it, turn it off, and say, 'I don't want to deal with it.'"
Some see security concerns relegating ActiveX to the realm of corporate intranets, where the likelihood of malicious attacks is diminished. "In general, when you're behind the firewall, you won't lose too much sleep over someone in accounting reformatting your hard drive," Textuality independent consultant Tim Bray notes.
But even deployment of ActiveX within corporate intranets is considered risky by some analysts, who note that most corporate computing attacks are indeed caused by users within the firewall.
Meanwhile, ActiveX continues to find a more risk-friendly constituency among ordinary Web surfers. "The net effect is that security concerns are suppressing ActiveX development when the target client is corporate," said David Brussin, technical director for security consulting firm Miora Systems Consulting. "But when targeting consumers for applications, ActiveX is growing quite well."
Brussin added that of the companies he works with that have leading-edge Internet applications with corporate clients, about 75 percent would like to use active content. Of those, Brussin estimates that about 70 percent are delaying deployment of ActiveX in those applications.
But nobody is ruling out ActiveX forever. In addition to anticipating the more secure architecture of Windows NT 5.0, companies are watching the evolution of firewalls as they gain the ability to inspect and sort through incoming controls.
Back to: Microsoft's inActiveX