Microsoft gives Sun the raspberry over ActiveX/Java security

Microsoft has published a white paper refuting claims made by Sun and, morespecifically, by Sun CEO Scott McNealy, who did an "ActiveX demo" last weekat JavaOne. Microsoft's response is interesting, and while I will leave itto you to read the whole thing, here are a couple of quotes:

"The reality is that this is not a security flaw in ActiveX. The exact samedemonstration can be created with any programming language, and be written as a Netscape Navigator Plug-in, or as a Java applet with the next version of Java."

"What Mr. McNealy did not mention is that the author of [the] malicious [ActiveX] program may not be able to receive a license (digital certificate)to create and sell software in our industry because he violated the trust-based license agreement."

"The next version of Java proposes a trust-based security model similar to the ActiveX model that Microsoft has been shipping since August 1996. [Sun],too, realizes that developers cannot build useful applications within the constraints of their so-called 'secure' technology...Please don't just takeour word for the fact that both Sun and Netscape are pursuing a trust-basedsecurity model. Check out the information on their own Web sites:

Read Sun's trust model

Read Netscape's trust model

Now compare these with Microsoft's"

"At the JavaOne ActiveX demo, a key fact that Sun and subsequent press articles did not point out was that Mr. McNealy was given the option to NOTdownload the program and was warned by Internet Explorer of the risks of running programs from untrusted authors."

--

Well, OK. Clearly, Microsoft and Sun are involved in the deadly game ofwinning developer and consumer mindset. While I still think ActiveX has some pretty serious security issues, Microsoft is correct about Java heading toward an ActiveX-style security model, a point I've made in previous issues of WinInfo. It'd be interesting--and ironic--if Java wasone day successful because of this very decision