Last modified: March 6, 1997 3:30 PM PST
Microsoft security flaws run deep
(continued from previous page)
But ActiveX is not the only security headache Microsoft is suffering. There are also problems with its Internet Explorer browser.
Earlier this week, the company worked around the clock to fix a hole related to ".url" and ".lnk" files, commonly known as Windows 95 and NT Shortcuts. A group of students found that by planting Shortcuts on a Web site they could trigger resident Windows 95 and NT programs to delete and manipulate files on a user's computer. Users who receive Shortcuts through email and newsgroups face the same risks.
Users of Netscape Communications' Navigator were not affected by the glitch. But analysts speculate that Microsoft could not have foreseen the potential security risks of using Shortcuts in the Internet space.
"There's a na?vete in the whole story about how the desktop and the Internet can be seamlessly linked," Dolberg said.
Microsoft executives said they would consider eliminating support for Shortcuts in Explorer if enough users requested it. But today, another group of students claim to have discovered an unrelated security hole that could also allow hackers to access files on users' computers.
The company could run into new security problems when it releases Internet Explorer 4.0 later this year, which will be even more thoroughly integrated with its operating systems.
"I would say that you have to seriously question the integrity of Internet Explorer at this point because this was such a big hole," said Stephen Cobb, director of special projects at the National Computer Security Association. "Microsoft's statement that they do a lot of testing is worrying, because if they did a lot of testing and didn't find this problem, their testing is very flawed."
Microsoft says that its technologies have been singled out for criticism, while the security risks of other executable code, including plug-ins that work with Navigator and Java applets, have been ignored.
"This is the big delusion that is so pervasive," said Willis. "You can single out this [ActiveX] component architecture, but none of this stuff is safe."
Some analysts believe that more bugs are appearing in Microsoft's Internet technology simply because more people are scrutinizing it than any other company's products.
"They are held to a higher standard than the other guys," said Rob Enderle, a senior industry analyst at Giga Information Group. "It's not a case of them being less competent. It's that they are expected to be more competent because they have so much stuff out there."
To be sure, Java does not provide a complete protection against hacker attacks. (See related story)
Furthermore, some analysts say Java security is beginning to resemble that of ActiveX more and more. In the latest release of the Java Development Kit, developers can allow their applets to go outside the sandbox to perform certain tasks like reading or writing files to a hard disk. However, Java supporters say the technology will still provide tighter protections than ActiveX by limiting what an applet can do.
"The issue is whether you give them carte blanche access or you give developers constrained access," said Jeff Treuhaft, director of security platform and tools at Netscape.
The debate over Internet security risks will certainly rage on as long as the network is around. Fortunately, the majority of security holes have been discovered by hackers more intent on exposing the holes than maliciously exploiting them.
There are, of course, exceptions. Earlier this year, several adult Web sites tricked thousands of users into downloading a special program that surreptitiously made expensive long distance calls to Moldova. The program worked with any Web browser.
Security experts are critical of vendors who downplay security breaches because they haven't been widely abused by unscrupulous hackers. Even if no one's computer is actually hurt by a security hole, companies have to spend time and money to patch up their systems, said Cobb of NCSA referring to Microsoft's actions following the IE Shortcuts glitch.
"It's difficult [for Microsoft] to weasel its way out with the 'it does no damage' excuse, because systems administrators are already looking at a big cost hit," he said. 
