Five years ago: ActiveX script for disaster highlights IE security flaw

First published 8 April, 1997

Internet Explorer users running Windows 95 may be open to a whole new range of Net-hosted attacks. A demonstration of a potentially lethal interaction between software components, detailed on our sister publication Windows Sources' Web site, has shown how software that has been certified by IE's Authenticode security system can be controlled by uncertified -- and uncertifiable -- Web scripts.

In brief, the problem arises when a utility or other program uses an OCX file or other component that can be controlled by a script. In this case Symantec's Norton Utilities 2.0 has a scriptable component called TUNEOCX.OCX: ActiveX-aware Web pages can detect this and feed it instructions. Because TUNEOCX.OCX is a legitimate module, installed as part of a shrink-wrap commercial package, it has full access to all local applications including email, DOS's FORMAT and FTP commands, and anything else that might be on the system. Scripts for it can be written in plain text resembling a simple DOS batch file, embedded in a Web page and passed directly to the component without any form of security authentication or user interaction. ActiveX's certification only applies to executables, and there is no other security provided on Windows 95.

This is the first instance of a problem long predicted. ZDNet UK staff have often raised this and similar possibilities with Microsoft technical staff, to be told that such problems were hypothetical and very unlikely to occur in real life. In theory, any widely spread client software with scriptable ActiveX components is vunerable to this threat. There is no way of guarding against it short of disabling all ActiveX scripting within IE. Any plug-in which treats data from the Web as scripts, remain potential wormholes through which carelessly written or actively hostile actions may pass: Macromedia's Shockwave had just such potential, but has been recently fixed.

No wholly satisfactory solution for ActiveX on Windows 95 is in sight. Java components on any platform are inherently secure against script attacks, since the range of actions Java programs can perform is severely limited. Windows NT has inherent security that can be configured to protect the system from any software the user may run. The combination of Internet Explorer, Windows 95 and scriptable third-party software is and will remain potentially dangerous.