Cyber-commerce threatened by malicious code

For anyone browsing the Net, opening up a Java applet or ActiveX control could result in malicious mobile code attacking files and wiping out systems. According to Alison Taylor, spokeswoman for Finjan this could have major implications not only for individual users but for corporations and the development of e-commerce. "Over 90% of e-commerce is written in Java, so it must be one of the top priorities for companies. Security and e-commerce must walk hand n hand" she said.

The threat of rogue code was echoed by market analysts Dataquest. "It is potentially a serious thing. Any time someone clicks on to a dynamic aspect of a web page, the chances are it will be a Java applet or an ActiveX control running. This programme will want to run on your machine and if it is malign it could wipe things out," said Ken Fraser, analyst for Dataquest Europe.

Finjan has developed software which enables users to set and enforce a security policy for Java and ActiveX. The latest, SurfinGate 4.02, is a Java Script version and will be available by the end of this month. The software works by spotting mobile code and alerting the user. It is then up to the users to decide what is an acceptable risk, and organize what the code accordingly. The software is regarded by some analysts as a more sophisticated system than others on the market, as it is capable of a more thorough investigation of the code.

Both Netscape and Microsoft are aware of the problem and have in-built security systems. Microsoft's Internet Explorer has a label attached to all ActiveX controls which certifies legitimate data as safe. For Netscape, Sun has developed a "sandbox" which creates a filter for Java applets, only allowing recognized or authorized applets to get through the firewall. Roger Keyse, product manager for security products at Sun believes the sandbox provides adequate protection "as part of the overall strategy to give end to end security", but accepts it may not be enough to reassure everyone. "Software can be complementary if people are paranoid and it is quite right that they should be" he said.

But Heather Stark, principle consultant at Ovum, warned that users not be lulled into a false sense of security by vendors' promises. "There isn't an easy system for corporate or individual users to decide what they can or cannot trust. Any security software is never a final solution. It has to adapt to the creativity of the people making malign mobile code.