Microsoft to increase ActiveX control security

Microsoft is--ahem--actively seeking ways to augment the Authenticode digital signature and certificate security model used by ActiveX controls. The proliferation of the controls on the Net has finally caused Microsoft to realize that existing security

Paul Thurrott

February 9, 1997

1 Min Read
ITPro Today logo in a gray background | ITPro Today

Microsoft is--ahem--actively seeking ways to augment the Authenticode digital signature and certificate security model used by ActiveX controls. The proliferation of the controls on the Net has finally caused Microsoft to realize that existing security measures are weak at best. Under consideration: HTML signing, proxy-server and firewall improvements, and a database that stores security status information.

HTML signing works by ensuring that an ActiveX control can only run when the Web page that contains the control is being viewed. Proxy-server and firewall improvements would allow network administrators to screen code in the same way that virus software scans for viruses, and then not admit dangerous controls. Microsoft is also looking into creating a database of Java applets and ActiveX controls, possibly maintained by a third-party company, that would act as a clearinghouse for the code and provide a seal of approval.

In a related development, the lack of ActiveX security allowed hackers in Germany to demonstrate a control on television that takes money from one bank account and deposits it--illegally--in another. Supposedly, a customer PIN will prevent this from happening, but the control fakes the computer into making the transfer. Microsoft will kick off an educational campaign in the coming weeks to alert people to safe ActiveX control usage: this sort of control can only do what it needs to do if people allow it to. This is fairly easy, however, since most people wouldn't realize the risk

Read more about:

Microsoft

About the Author

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like