To members of the Forest List especially Systems Administrators, Here are some information for you to take note: > Microsoft Moves To Allay > ActiveX Security Worries > [Image] (02/20/97; 7:22 p.m. EST) > By Clare Haney, TechWire > > Recently, the debate about the relative security > merits of Microsoft's ActiveX components vs. Java > applets has reached fever pitch. User concerns > regarding the level of security offered by > Microsoft's ActiveX controls have forced the company > into offering advice on Internet security on its > website. > > The move may be a reaction to a demonstration given > by a hackers association late last month on German > television exposing security flaws in ActiveX. As > reported in TechWire, members of the Chaos Computer > Club (CCC) were allegedly able to transfer funds > illegally from Intuit's Quicken accountancy software > using an ActiveX control to modify a user's Quicken > transaction file. > > On Thursday, Microsoft took the unusual step of > publishing an open letter to users from company > Senior Vice President Brad Silverberg on its security > web page. In the letter, Silverberg refers directly > to the CCC demo. "While it is unfortunate that > hackers have created this harmful program, it does > point out the need for users to act cautiously and > responsibly on the Internet, just as they do in the > physical world." He concluded, "We expect hackers and > virus writers to get increasingly sophisticated, but > we pledge we'll continue to keep you and us one step > ahead of them." > > Microsoft has also made its Web Executable Security > Advisor program available free on its website > http://www.microsoft.com/security. The program aims > to help keep users up to date with Internet security > issues, particularly those related to Microsoft > software, by cobbling together a mix of new data with > relevant information already existing on the > company's website. Microsoft also announced its > intention to hold a Web Executable Security > roundtable in mid-spring so it can directly poll > customers on what kind of balance they would like to > see being struck between functionality and security > for downloadable applications. > > Intuit, initially rather blasé about the hackers' > demo, took the opportunity this week to state that if > users did have concerns about ActiveX's security, > that they "should consider disabling the ActiveX > capability in their browser or using a browser such > as Netscape Navigator, which does not support > ActiveX." The company is also rushing out a more > secure German version that will be equivalent to the > current U.S. release. > > Out Of The Frying Pan, Into The Sandbox > > The renewed secured debate extends beyond the ActiveX > arena. In its defense, Microsoft still continues to > holler that the German hacker incident is not just > limited to ActiveX, but affects any executable, be > they Java applets, Navigator plug-ins, PostScript > files, Apple Macintosh applications and Word macros. > > Java's sandbox technology, which ensures that Java > applets can not access or contaminate a user's > computer resources, such as the operating system or > hard drive, is also coming under scrutiny. > > Tod Nielson, general manager of developer relations > at Microsoft, claimed that the development of any > significant Java application, for example, a > checkbook reconciliation application, needs to occur > outside the safety of the sandbox. "You can't build > anything more than eye candy or dancing hippos inside > the sandbox," he quipped. > > Marianne Mueller, security staff engineer at JavaSoft > in Mountain View, Calif., disagreed with that > statement, claiming the sandbox is not nearly so > limiting to development as Microsoft suggests. She > also claimed that Java is much more secure than > ActiveX, explaining, "With ActiveX you're pretty much > at all times subject to applications, whether > maliciously or due to bugs, being able to damage your > underlying code. Java was architected from the start > not to let that happen." > > Edward W. Felten, assistant professor in the > department of computer science at Princeton > University and co-author of Java Security: Hostile > Applets, Holes and Antidotes, sided with JavaSoft. "I > believe there's a fundamental difference between > ActiveX and Java, as it is currently shipping. > ActiveX relies on people making a good decision, > whereas the Java sandbox relies on technology to > prevent something bad from happening." > > But Felten stressed that the situation is changing as > Java opens out more beyond the sandbox. The latest > release of the Java Development Kit, version 1.1, > which appeared last week, supports digital > signatures, also known as code signing, so users can > identify the originator of an application and > download applets completely outside of the Java > sandbox. Microsoft already offers code signing with a > feature known as Authenticode, which is part of its > web browser, Internet Explorer 3.0. > > JavaSoft said it is planning a more fine-grained > approach to security in the next major release of its > software. This means applications will only be let > out of the sandbox to perform very narrowly defined > tasks, for example, ensuring that an applet only > accesses a specific database without being able to > influence anything else on an end user's computer. > > The World Wide Web Consortium standards body has just > completed the specification for a digital signature > standard and is about to enter the implementation > phase. Microsoft has submitted its Authenticode > technology for approval, but JavaSoft said it > believes that its submission is likely to play a much > more significant role. "The W3's standard will be > essentially the same as our digital signature > technology," Mueller said. > > Once there's a standard digital signature, the next > area to be addressed regarding Internet security is > firewalls. Mueller revealed that JavaSoft will be > hosting a discussion for firewall next week on safe > firewall traversal. "We'll debate what needs to be > done to allow specialized intelligent filtering at > the firewall level." > > --------------------------------------------------------------- God bless. Nelson Wong MTC
Mail converted by
MHonArc 1.1.0