September 3, 2004 4:00 AM PDT

SP2 vs. the plug-ins

While security experts applaud Microsoft's recently released Service Pack 2, some companies that distribute their software over the Web are watching the product's introduction with dread and suspicion.

For years, software developers have offered applications to the world in Microsoft's Internet Explorer Web browser through the company's powerful proprietary API (application programming interface) called ActiveX. The technology starts up external applications, or "plug-ins," within a Web page.

News.context

What's new:
Microsoft's Service Pack 2 security update includes a more complicated alert system for ActiveX, which launches applications within a Web page.

Bottom line:
The changes have alarmed some software vendors that depend on ActiveX and has aroused suspicion that Microsoft is using security worries to further its strategic ends.

More stories on this topic

But a tool that can run good software in a browser can also run bad software, and as a result ActiveX has been implicated in a wide array of security scenarios, most recently in the surreptitious installation of adware, spyware and worse.

Microsoft's long-delayed and glitchy Service Pack 2, the security-focused update for the Windows operating system released this month, clipped ActiveX's wings with a more cautious alert system that springs into action when a Web site tries to run an ActiveX control, sprout a pop-up window or run other code.

In the past, IE prompted users with a simple "yes" or "no" option on a security screen before allowing plug-in installations. With SP2, Microsoft blocks ActiveX controls from running by default and flashes an explicit warning that unknown software can cause harm to a PC, and the route to allowing installation is somewhat obscured.

The changes have alarmed some software vendors that depend on ActiveX and has aroused suspicion that Microsoft is using security imperatives to further its strategic ends.

"We are holding our breath waiting for it to fully deploy," said Alex St. John, who helped create Microsoft's DirectX graphics software during his tenure at the company from 1992 to 1997 and who now runs the WildTangent 3D games site. "Most likely what the user will do is be alarmed and confused by the SP2 warning and just cancel the whole thing. And a large percentage of people will not realize what happened in the first place...This destroys all business models associated with being able to play content in the browser."

Another vendor agreed that SP2 would disrupt the Web-based distribution of his 3D plug-in product.

"It's going to confuse end users," said Tony Parisi, founder of San Francisco-based Media Machines and co-creator of the VRML (Virtual Reality Modeling Language) and X3D (Extensible 3D) Web graphics specifications. "And I think this will hobble the independent software developers who have been using the Web and IE's great and relatively cheap way of distributing a product. I understand the security issues, but I think this is going to set the ISVs back," he said, referring to independent software vendors.

Years of gripes
The security issues aren't small. Microsoft's reining in of ActiveX follows years of complaints that the company didn't take system protection seriously enough and years of specific complaints about ActiveX security. Two and a half years ago, Bill Gates, Microsoft's co-founder and chief software architect, declared that security had become Microsoft's job No. 1.

IE has long required users to verify they wanted an ActiveX control loaded. But pre-SP2, those warnings proved both spoofable by malicious hackers and ineffective through repetition and the ease of clicking through them.

"What we found was that most users were becoming accustomed to saying 'OK' and not reading the (ActiveX warning) dialog," said Doug Stamper, an IE group program manager who worked on SP2. "We made these changes in the ActiveX user experience because users were getting drive-by downloads."

At the heart of the changes is Microsoft's new "information bar," a thin strip just below the Web address bar that carries warning messages. To allay concerns that users might miss the information bar, SP2 pops up a dialogue box pointing it out every time, until the user checks a box asking it to go away for good.

Depending on what a Web site has attempted to do, the information bar flashes a variety of warnings. When a site tries to run an ActiveX control, the bar reads, "This site might require the following ActiveX control...Click here to install."

For some software downloads--the free RealPlayer, for example--the bar reads: "To help protect your security, Internet Explorer blocked this site from downloading files to your computer. Click here for options."

Microsoft said its research showed that the new system wasn't perfect, but that most people were able to navigate it.

Screen shots of XP SP2 downloads "Our usability study and our engineering process suggest that this fared very well," Stamper said. "It wasn't 100 percent, but the vast majority understood its purpose."

The changes to ActiveX are by no means the only sources of potential problems thrown up SP2.

Microsoft and its partners have been expecting that its launch would result in a flood of technical support calls to vendors. One study found that information systems managers feared it would turn out to be the most difficult Windows update yet.

In addition, computer makers are warning their customers to do their homework before downloading SP2 through Windows' automatic update software.

Strategy through security?
With the Net reeling from one Windows-related security crisis after another, one industry analyst defended Microsoft's restriction of ActiveX.

"This is one of those issues where Microsoft is damned if it does and damned if it doesn't," said Peter O'Kelly, an analyst at the Burton Group. "If there's a trade-off between fixing security for everyone versus inconveniencing some ISVs and some end-users, it's not going to be much of a choice."

Microsoft's critics have suggested that the company's security measures have been implemented in ways that bolster its own businesses at the expense of others.

St. John, for example, noted that by switching from common Web technologies to Microsoft's .Net framework and the C# programming language, he would be able to bypass the new ActiveX security protocol. Because many of his gamers are on dial-up connections, he says .Net's comparatively bulky download makes that a bad option.

"Maybe breaking ActiveX forces a look at .Net," St. John said. "And it's all done with the pretext of security."

Making ActiveX harder to use could have an adverse affect on several software titles that compete with Microsoft's technologies. These include Apple's QuickTime media player, RealNetworks' RealPlayer, Adobe Systems' Acrobat document reader, and Macromedia's Flash animation software and Flex application server software.

One provider of Flash-reliant software for creating Internet-based applications put the matter more plainly.

"Most of the Net's security problems are not related to ActiveX," said David Temkin, chief technology officer for Laszlo Systems in San Francisco. "Microsoft is using this as an opportunity to tighten its control over client technologies. That's not a good thing for Flex, for Real, for QuickTime, and on and on and on."

Microsoft dismissed the notion that it was using security as a strategic pretext.

"The changes we made were to the benefit of the customer, putting the maximum information in their hands so they have control and informed notice and can give informed consent," Stamper said. "We do not prevent (software vendors) from working."

Echoes of the past?
Microsoft's defense may ring a bell for those who have followed the rise of the Windows operating system.

In 1999, the company had to fend off charges by operating system competitor Caldera that Microsoft had plotted to cause threatening error messages to arise with Caldera's DR-DOS software. Microsoft settled that case in 2000.

Today, Microsoft's critics point to two high-profile competitive struggles where SP2's ActiveX warning system could make an impact: media players and Internet-based productivity applications.

Because Windows Media Player comes preinstalled with Microsoft's operating system, it enjoys an immediate advantage over competitors such as RealPlayer and QuickTime. If Microsoft's new warnings scare off users from loading ActiveX controls, that could increase that advantage.

RealNetworks currently has an antitrust case pending against Microsoft, in which it claims the Windows monopoly is limiting consumer choice in online media players.

Citing its antitrust case, RealNetworks declined to comment for this story.

Adobe, which increasingly competes with Microsoft, declined to comment on the potential vulnerability of its Acrobat document reader plug-in. Apple declined to be interviewed but said in a statement: "We've tested QuickTime running with Microsoft's SP2 update in Windows XP and have not seen any negative effects for plug-in based content."

Macromedia also sought to quell concern over its ability to distribute its Flash player through SP2, stressing that since the spring it had worked with Microsoft on the release to strike a balance between better security and ease of use.

Independent software companies that believe the present ActiveX warnings are bad should have seen the trial versions, said Kevin Lynch, Macromedia's chief software architect.

"Initially, the experience for end users installing ActiveX controls made it pretty difficult to get through that successfully," Lynch said. "The wording of the prompts was not very clear about what was being asked of the user, and it erred too much on the side of saying 'This will be dangerous to your machine.' But Microsoft was very responsive, and we got to the point where we're happy with the process."

Macromedia's relationship to Microsoft could be described as a textbook case of cooperative competition. On the cooperative side, Microsoft is largely responsible for the nearly ubiquitous distribution of Macromedia's Flash player, because it bundles version 5 of the software with Windows XP.

Macromedia Flash has the distinction of being the only third-party software packaged into SP2. That bundling means Windows folks will get an automatic upgrade to Flash 6 from Flash 5.

On the competitive side, Microsoft chose not to bundle Macromedia's latest player, Flash 7. That's what computer users need to run applications that work with Macromedia's Flex platform for Internet-based applications. The combination of the Flex server software and Flash 7 aims to provide exactly the kind of graphics-intensive, speedy Internet applications that Microsoft plans to offer with its long-delayed Longhorn update to Windows.

"Microsoft doesn't want to ship Flash 7," Burton analyst O'Kelly said. "I don't disagree with the speculation that Microsoft sees that as more competitive" than earlier versions of Flash, he added.

A Microsoft representative said the company chose Flash 6 over Flash 7 for technical and security reasons.

Macromedia said that Microsoft had originally cited concerns by the European Union over self-updating software as a strike against Flash 7. Microsoft later withdrew those concerns, Macromedia said.

Whatever Microsoft's motivations, the decision means people will have to leap ActiveX security hurdles if they use an SP2-loaded system to open a Web page that requires Flash 7.

Flash 7 adoption has made swift progress, Macromedia said. The company estimates that the software now sits on more than 66 percent of computers on the Internet in the United States and 81 percent in Europe.

Other software vendors remain anxious about life under the new security regime.

"It's exacerbated the plug-in problem," said Media Machines founder Parisi. "Just when my customers' clients are over the problem of handling plug-ins, they have a whole new hurdle they have to jump."

And while plug-in vendors brace for SP2, Laszlo Systems is preparing for worse things to come, aware that software developers who rely on Flash and ActiveX live by Microsoft's good graces.

"The real uncertainty around this isn't with SP2," said Temkin, the company's technology chief. "The real uncertainty is with Longhorn. Is Microsoft going to be bundling any version of Flash whatsoever? Will they make it difficult to access or scare people into not downloading it? Our approach is that some time before the shipment of Longhorn, our software will be made to work with the .Net client--which means that no installation of ActiveX will be necessary."

11 comments

Join the conversation!
Add your comment
Alternative
Instead of switching from ActiveX to .Net, perhaps developers should consider switching to technology that is both cross platform and cross browser compatible. I currently use Firefox in both Windows and Linux. If their content won't display there, I'll never see it.
Posted by (4 comments )
Reply Link Flag
how about..
how about instead of replying to every internet explorer / windows thread with an unhelpful suggestion of swapping to linux/firebird you try to be a little more constructive? What is right for you is not right for the next person.

I'm sure many people would applaud your suggestions, and the obvious intellect you think have over most other people purely because of a preference in open source software. However i do not. Past experiences with bad security in active-x and other microsoft specific technologies may have tainted your views of overall security with microsoft, but at least they are attempting to fix these issues (even if that means hard choices), and for the most part they are resting the onus of potential security risks firmly where they belong - on the users' shoulders. Microsoft still has some work to do on subsequent versions of internet explorer. I for one hope they suceed - a more secure browser which supports all of the wonderful technologies that other browsers do not has to be better than the alternative you suggest?

although i seriously doubt that any linux user will ever conceed a feature rich secure browser would ever be better than their beloved firefox.
Posted by (5 comments )
Link Flag
ISV have made thier beds
By not developing or help develop in an open structure, ISV have limit themselves and have given Microsoft the control of their products. ISV should really look into a cross platform structure. If not Microsoft can develop similar products to compete and have ISV's pay to allow them to run or turn them off completely.
Posted by (5 comments )
Reply Link Flag
hrmmm,
two examples given in the story - web delivered games, and 3d plugins - both of which microsoft has an interest in (game studios, and 3d api's), and as yet we have seen no such monopolisation by microsoft which you hint at, and i doubt we will not for the forseeable future.

A fair point about cross platform, although one could argue with microsoft having such a large percentage of the desktop, and internet browser market ISV's are aiming for the largest proportion. Most of the larger and well known browser plugins are operating system and browser independant.
More of an issue is the trust factor behind delivering content in this manner. I personally do not trust most sites which automatically attempt to install any kind of plugin or browser addon, this includes macromedia. Microsoft's initiative in alerting the end user to the potential security and privacy risks they are opening themsevles to by instintively installing any browser addons should be seen as a good thing in the long term, not only from a security stand point, but also in allowing ISV's to gain much needed trust from customers, and a loyal fanbase (good products, word of mouth, etc)
Posted by (5 comments )
Link Flag
not just isv's
The customer is just as bad for allowing certain firms (not just m$) to dictate standards to us. Even if your avg. customer isn't qualified to discuss the topic at hand the government has the ability and the duty to gather competent , impartial people to set the standard(s) and to inform people when a corporations product does not meet the standards for the applicable area
Posted by mpotter28 (130 comments )
Link Flag
Be careful what you ask for...
... cuz you just might get it... for years people have been complaining that ActiveX and some other plug-in's are a security nightmare waiting to happen. You complain and shout that MS needs to take a harder stance with ActiveX and with security. Finally, after years of waiting, they finally do, and all you can do is complain? This drama over SP2 is getting a bit ridiculous. Look, I'm no big fan of MS and I spend time every day looking at alternatives when it's appropriate, but in the interest of being fair, all this complaining about SP2 is a joke. MS took some good first steps and did what we asked them to do: make IE more secure and reign in ActiveX. Now you want to complain about it?

Like I said: Be careful what you ask for.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.