ActiveX apologetic Larry Seltzer... "Sun paid for malicious ActiveX code, and Firefox is bad, bad ba

Discussion in 'Java' started by, Apr 16, 2005.

  1. Guest

    Larry Seltzer jumped up and down from his chair, ornerier than a rhino
    in heat... in defense of poor defenseless ActiveX... it's always nice
    to see Microsoft apologetics writing tiresome rants just when Redmond
    is under fire and needs it...

    Of course he forgets to mention the real issue... running unknown
    "trusted" win32 code downloaded over the net (ActiveX) vs. Java's
    "sandbox" security model...

    Here's Seltzer's article:

    The Lame Blame of ActiveX,1759,1785769,00.asp

    "Let's review: What exactly is ActiveX and what does it do that's
    supposedly so dangerous? ActiveX controls are packages of code that can
    run in the context of the browser. They are installable through a link
    on a Web page. Exactly how different is this from having a link to an
    executable file that you have to explicitly run? Essentially not at
    all, except that the ActiveX version is more convenient. Even with
    Firefox you can download and run an executable file"

    "While there has been a striking lack of actual evidence that ActiveX
    is unsafe, there has been no shortage of baseless assertions and cheap
    shots against it. My favorite was the "Internet Exploder" incident in
    which Sun actually paid someone to write a malicious ActiveX control. I
    was there at JavaOne when they demonstrated it (I think it was 1997).
    The test system brought up all the warning dialogs about the program
    that you usually get and the Sun employee actually had the nerve to
    keep whacking on the enter key quickly so they would close as quickly
    as possible and didn't mention that there were any such warnings.
    Meanwhile, they also didn't mention that a signed Java applet could
    also perform dangerous privileged operations and would provide similar
    warnings. Most ActiveX criticism is simply uninformed, but this example
    was hypocritical and dishonest."

    So, did Sun actually "pay someone to create a malicious ActiveX
    And what is making Larry Seltzer jump up and down from his chair in
    outrage in defense of Microsoft and ActiveX?

    And why did he choose to include a statement hinting that "java is
    about as insecure as ActiveX" but talking about TRUSTED SIGNED APPLETS
    instead of the <EMBED> model that places restricted applets inside the
    java sandbox?

    Interesting... which reminds me of this May 2000 article:

    While Microsoft might have tightened the IE "security zones" and
    defaults, I think the basics have remained unchanged. Am I wrong?

    "Now, with mechanisms built into Windows and Office, Microsoft is
    doing it for (virus writers)," ( Gartner Group analyst John )Pescatore
    said. "Here is your address book, so send out the virus to everybody
    there at the speed of your CPU instead of relying on the person dumb
    enough to send infected email."

    "If that were off by default, it would be a whole lot more secure,"
    said Reliable's McGraw. "Having it on by default is typical of
    Microsoft's approach...In the case of the Love bug, it isn't even a
    bug. It's just insecurely designed. It's not badly designed; Microsoft
    intended for it to be that way."

    Analysts say these recent outbreaks are similar to the Morris worm that
    a dozen years ago crippled Unix systems and brought down the young
    Internet. That virus exploited ties between Unix sendmail and the
    operating system to redistribute itself via people's address books,
    similar to what is happening with Outlook and Windows today.

    Microsoft's critics frequently point to the Java programming language,
    developed by Sun Microsystems, as a security paragon--at least compared
    with Microsoft security methods.

    "The Java approach is completely different," said McGraw, who is also
    co-author of a book on Java security. "It was designed to protect
    ignorant people from their own ignorance. And that may be a better
    model for the future economy, with everything computerized and software
    truly ubiquitous."

    Java's security model works by establishing a so-called sandbox that
    limits the areas of the computer the code can manipulate. Microsoft's
    technologies, including Visual Basic and ActiveX--another frequent
    target of analysts' security gripes--rely on the "trust" model, leaving
    PC users to decide whether to grant incoming scripts and ActiveX
    components power over their computers.

    "The people who designed Java wrote it so that you can run whatever
    you get as long as the model is perfect," said McGraw. "That leaves
    room for error. But Microsoft lets you decide whether to give over
    complete control. The I Love You thing is a perfect example of what
    happens when you give that control with two clicks of the mouse. It's
    incredible. That's all it takes to give away the keys to your

    Other analysts agreed that Microsoft has a lot to learn from Java.

    "Visual Basic...and Active X are nowhere near the security posture of
    Java," Gartner's Pescatore said. "Java was designed with security in
    mind. Visual Basic was designed to allow novice users to build
    anything. C++ is not much better. (In) all programming languages until
    Java came along, most of the common ones were pretty insecure from a
    security perspective."

    Thoughts, comments, expletives? Discuss...


    , Apr 16, 2005
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
  2. morebeer

    Help - Can't get rid of the malicious Code

    morebeer, Jul 15, 2008, in forum: ASP General
    Bob Barrows [MVP]
    Jul 18, 2008
  3. Xah Lee

    malicious javascript code

    Xah Lee, Nov 19, 2004, in forum: Javascript
    Xah Lee
    Nov 19, 2004
  4. Noone Here

    Malicious JavaScript code,

    Noone Here, Jan 27, 2006, in forum: Javascript
    Richard Cornford
    Jan 31, 2006
  5. Paul E Collins

    Malicious code with limited character set?

    Paul E Collins, Mar 30, 2007, in forum: Javascript
    Mar 30, 2007

Share This Page