F
fernando.cassia
Larry Seltzer jumped up and down from his chair, ornerier than a rhino
in heat... in defense of poor defenseless ActiveX... it's always nice
to see Microsoft apologetics writing tiresome rants just when Redmond
is under fire and needs it...
Of course he forgets to mention the real issue... running unknown
"trusted" win32 code downloaded over the net (ActiveX) vs. Java's
"sandbox" security model...
Here's Seltzer's article:
The Lame Blame of ActiveX
http://www.eweek.com/article2/0,1759,1785769,00.asp
"Let's review: What exactly is ActiveX and what does it do that's
supposedly so dangerous? ActiveX controls are packages of code that can
run in the context of the browser. They are installable through a link
on a Web page. Exactly how different is this from having a link to an
executable file that you have to explicitly run? Essentially not at
all, except that the ActiveX version is more convenient. Even with
Firefox you can download and run an executable file"
"While there has been a striking lack of actual evidence that ActiveX
is unsafe, there has been no shortage of baseless assertions and cheap
shots against it. My favorite was the "Internet Exploder" incident in
which Sun actually paid someone to write a malicious ActiveX control. I
was there at JavaOne when they demonstrated it (I think it was 1997).
The test system brought up all the warning dialogs about the program
that you usually get and the Sun employee actually had the nerve to
keep whacking on the enter key quickly so they would close as quickly
as possible and didn't mention that there were any such warnings.
Meanwhile, they also didn't mention that a signed Java applet could
also perform dangerous privileged operations and would provide similar
warnings. Most ActiveX criticism is simply uninformed, but this example
was hypocritical and dishonest."
So, did Sun actually "pay someone to create a malicious ActiveX
control"?.
And what is making Larry Seltzer jump up and down from his chair in
outrage in defense of Microsoft and ActiveX?
And why did he choose to include a statement hinting that "java is
about as insecure as ActiveX" but talking about TRUSTED SIGNED APPLETS
instead of the <EMBED> model that places restricted applets inside the
java sandbox?
Interesting... which reminds me of this May 2000 article:
http://news.com.com/2100-1001-240184.html?legacy=cnet
While Microsoft might have tightened the IE "security zones" and
defaults, I think the basics have remained unchanged. Am I wrong?
=======================================================
"Now, with mechanisms built into Windows and Office, Microsoft is
doing it for (virus writers)," ( Gartner Group analyst John )Pescatore
said. "Here is your address book, so send out the virus to everybody
there at the speed of your CPU instead of relying on the person dumb
enough to send infected email."
"If that were off by default, it would be a whole lot more secure,"
said Reliable's McGraw. "Having it on by default is typical of
Microsoft's approach...In the case of the Love bug, it isn't even a
bug. It's just insecurely designed. It's not badly designed; Microsoft
intended for it to be that way."
Analysts say these recent outbreaks are similar to the Morris worm that
a dozen years ago crippled Unix systems and brought down the young
Internet. That virus exploited ties between Unix sendmail and the
operating system to redistribute itself via people's address books,
similar to what is happening with Outlook and Windows today.
Microsoft's critics frequently point to the Java programming language,
developed by Sun Microsystems, as a security paragon--at least compared
with Microsoft security methods.
"The Java approach is completely different," said McGraw, who is also
co-author of a book on Java security. "It was designed to protect
ignorant people from their own ignorance. And that may be a better
model for the future economy, with everything computerized and software
truly ubiquitous."
Java's security model works by establishing a so-called sandbox that
limits the areas of the computer the code can manipulate. Microsoft's
technologies, including Visual Basic and ActiveX--another frequent
target of analysts' security gripes--rely on the "trust" model, leaving
PC users to decide whether to grant incoming scripts and ActiveX
components power over their computers.
"The people who designed Java wrote it so that you can run whatever
you get as long as the model is perfect," said McGraw. "That leaves
room for error. But Microsoft lets you decide whether to give over
complete control. The I Love You thing is a perfect example of what
happens when you give that control with two clicks of the mouse. It's
incredible. That's all it takes to give away the keys to your
computer."
Other analysts agreed that Microsoft has a lot to learn from Java.
"Visual Basic...and Active X are nowhere near the security posture of
Java," Gartner's Pescatore said. "Java was designed with security in
mind. Visual Basic was designed to allow novice users to build
anything. C++ is not much better. (In) all programming languages until
Java came along, most of the common ones were pretty insecure from a
security perspective."
=======================================================
Thoughts, comments, expletives? Discuss...
flames?: (e-mail address removed)
FC
in heat... in defense of poor defenseless ActiveX... it's always nice
to see Microsoft apologetics writing tiresome rants just when Redmond
is under fire and needs it...
Of course he forgets to mention the real issue... running unknown
"trusted" win32 code downloaded over the net (ActiveX) vs. Java's
"sandbox" security model...
Here's Seltzer's article:
The Lame Blame of ActiveX
http://www.eweek.com/article2/0,1759,1785769,00.asp
"Let's review: What exactly is ActiveX and what does it do that's
supposedly so dangerous? ActiveX controls are packages of code that can
run in the context of the browser. They are installable through a link
on a Web page. Exactly how different is this from having a link to an
executable file that you have to explicitly run? Essentially not at
all, except that the ActiveX version is more convenient. Even with
Firefox you can download and run an executable file"
"While there has been a striking lack of actual evidence that ActiveX
is unsafe, there has been no shortage of baseless assertions and cheap
shots against it. My favorite was the "Internet Exploder" incident in
which Sun actually paid someone to write a malicious ActiveX control. I
was there at JavaOne when they demonstrated it (I think it was 1997).
The test system brought up all the warning dialogs about the program
that you usually get and the Sun employee actually had the nerve to
keep whacking on the enter key quickly so they would close as quickly
as possible and didn't mention that there were any such warnings.
Meanwhile, they also didn't mention that a signed Java applet could
also perform dangerous privileged operations and would provide similar
warnings. Most ActiveX criticism is simply uninformed, but this example
was hypocritical and dishonest."
So, did Sun actually "pay someone to create a malicious ActiveX
control"?.
And what is making Larry Seltzer jump up and down from his chair in
outrage in defense of Microsoft and ActiveX?
And why did he choose to include a statement hinting that "java is
about as insecure as ActiveX" but talking about TRUSTED SIGNED APPLETS
instead of the <EMBED> model that places restricted applets inside the
java sandbox?
Interesting... which reminds me of this May 2000 article:
http://news.com.com/2100-1001-240184.html?legacy=cnet
While Microsoft might have tightened the IE "security zones" and
defaults, I think the basics have remained unchanged. Am I wrong?
=======================================================
"Now, with mechanisms built into Windows and Office, Microsoft is
doing it for (virus writers)," ( Gartner Group analyst John )Pescatore
said. "Here is your address book, so send out the virus to everybody
there at the speed of your CPU instead of relying on the person dumb
enough to send infected email."
"If that were off by default, it would be a whole lot more secure,"
said Reliable's McGraw. "Having it on by default is typical of
Microsoft's approach...In the case of the Love bug, it isn't even a
bug. It's just insecurely designed. It's not badly designed; Microsoft
intended for it to be that way."
Analysts say these recent outbreaks are similar to the Morris worm that
a dozen years ago crippled Unix systems and brought down the young
Internet. That virus exploited ties between Unix sendmail and the
operating system to redistribute itself via people's address books,
similar to what is happening with Outlook and Windows today.
Microsoft's critics frequently point to the Java programming language,
developed by Sun Microsystems, as a security paragon--at least compared
with Microsoft security methods.
"The Java approach is completely different," said McGraw, who is also
co-author of a book on Java security. "It was designed to protect
ignorant people from their own ignorance. And that may be a better
model for the future economy, with everything computerized and software
truly ubiquitous."
Java's security model works by establishing a so-called sandbox that
limits the areas of the computer the code can manipulate. Microsoft's
technologies, including Visual Basic and ActiveX--another frequent
target of analysts' security gripes--rely on the "trust" model, leaving
PC users to decide whether to grant incoming scripts and ActiveX
components power over their computers.
"The people who designed Java wrote it so that you can run whatever
you get as long as the model is perfect," said McGraw. "That leaves
room for error. But Microsoft lets you decide whether to give over
complete control. The I Love You thing is a perfect example of what
happens when you give that control with two clicks of the mouse. It's
incredible. That's all it takes to give away the keys to your
computer."
Other analysts agreed that Microsoft has a lot to learn from Java.
"Visual Basic...and Active X are nowhere near the security posture of
Java," Gartner's Pescatore said. "Java was designed with security in
mind. Visual Basic was designed to allow novice users to build
anything. C++ is not much better. (In) all programming languages until
Java came along, most of the common ones were pretty insecure from a
security perspective."
=======================================================
Thoughts, comments, expletives? Discuss...
flames?: (e-mail address removed)
FC