Date: Tue, 11 Feb 1997 14:46:08 +0100 From: Klaus Brunnstein Subject: Hostile ActiveX Control demonstrated In a German TV show, 3 East German hackers (remotely linked to in/famous Chaos Computer Club) demonstrated how inherent risks of Microsoft`s ActiveX technology can expropriate naive users. The hackers prepared a Web page attracting interest of surfers ("Becoming millionaire in 5 minutes"). When this Webpage was contacted via Microsoft`s Internet Explorer, an ActiveX control would be downloaded into the victims computer. This control would access Quicken (a program aimed at assisting electronic banking) to generate a transaction form to transfer some electronic cheque to some account specified by the hackers; this cheque would be trans- mitted with the next collective remittance. This may be the first "Hostile Control" which has been demonstrated in the public (btw: several Hostile Java Applets have appeared at several Internet sites; as such Hostile Applets as well as experiments with Java "viruses" have not been publicly displayed, the broad public tends to assume that Java Applets are "secure" :-). According to some Microsoft expert, "all users should know" that ActiveX may have such side-effects which may include sniffing of disks as well as remote installation of software. A spokesman representing Microsoft Germany even suggested to disable ActiveX if the system is used for purposes of electronic fund transfer. Concerning general protective action against malign effects of ActiveX, Microsoft suggests using its ActiveX "certification" option: users should "only allow" remote access from "trustworthy" programmers. A 3-level scheme (low - medium -high) of trust is supported. On "high", only controls with an "authenticode" are permitted; no warning is given when such a code is detected. Any programmer can buy his authenticode for 20 dollar. Any risk? No risk if you regard Microsoft or its affiliated programmers as "trustworthy". Klaus Brunnstein (10 Feb 1997) PS: concerning "trustworthiness": apart from many safety and security problems, users owe Microsoft the deployment of the first Macro virus (Concept.A), and the proliferation of several Wazzu`s which have escaped from several Microsoft CD- ROMs and WWW pages to the "interested public". Users will experience major problems with enhanced macro viruses to work under Office 97, and users will see more platforms to be attacked. Thanx to Microsoft :-)