German TV Demonstration Raises ActiveX Security Questions

Microsoft technology used to transfer funds from PC user%squots bank account.

A recent German TV demonstration in which hackers used Microsoft%squots ActiveX technology to make electronic funds transfers without an account holder%squots knowledge has once again raised questions about ActiveX%squots security features.

In a January 28 TV demonstration, members of the Chaos Computer Club showed how an ActiveX program could take control of a PC and transfer funds from a bank account on Intuit%squots Quicken financial network without the user%squots knowledge.

Computer security expert Dan Wallach, a graduate student at Princeton University, said the Chaos demo supports his belief that ActiveX on the Internet is a disaster waiting to happen. He said that unlike Java, ActiveX hands full control of a PC over to the application developer, thereby opening up all sorts of unpleasant possibilities.

%dquotAn ActiveX control is really just another Windows program,%dquot Wallach said. %dquotOne Windows program can do anything to the computerthere%squots nothing to stop any Windows program from deciding to format your hard drive, for example.

%dquotBecause that kind of security protection isn%squott built into the operating system...there%squots nothing to prevent ActiveX from doing bad stuff to your machine.%dquot

Java, in contrast, does not rely directly on the Windows operating system but requires an interpreter, the Java Virtual Machine, which provides its own layer of protection, Wallach said.

Microsoft officials could not be reached for comment on the Chaos incident. But after one publicized case last summer in which a program known as Internet Exploder took advantage of the security loophole by shutting down power on a user%squots PC, Microsoft pointed out that Internet Explorer 3.0 has built-in security, known as Authenticode, which attempts to prevents such attacks.

Authenticode tries to identify the author of a Java applet, an ActiveX control, or a plug-in and determine that the component hasn%squott been tampered with in transit to your desktop. When IE3 users download software, a warning screen pops up saying the code may not be what it says it is.

Nonetheless, Princeton%squots Wallach said ActiveX is an inherently insecure technology, and advised Internet Explorer users to turn it off in the Options section of the browser setup.

Would you recommend this story? YES NO

Recommend:
0 Comments

PCWorld on your iPad!

PCWorldDaily gives you the best from our experts each day.

Download from the App Store - Free!

Speed Up Everything!

PCWorld shows you the secrets to improve performance on all your hardware.

Get the Superguide now!

Lenovo Laptop Deals

IdeaPad U300s If there's a laptop that deserves the moniker "Ultrabook" it's the Lenovo IdeaPad U300s.
Buy now direct from Lenovo
ThinkPad X220 Fast and light, with great input ergonomics and battery life, this powerhouse ultraportable is best-of-breed.
Buy now direct from Lenovo
ThinkPad T420 Just about every IT person we know swears by the T series--for their clients and themselves.
Buy now direct from Lenovo

Name	City

Address 1	State	Zip

Address 2	E-mail (optional)