ActiveX

ActiveX controls are programs that are embedded in HTML documents and are similar in concept to Java. The major difference between them is that ActiveX controls are not platform-independent. Instead they are executable programs compiled for a specific platform; typically Windows 95 and NT. Also unlike Java, ActiveX controls do not run inside a security monitor. In fact, there is almost no security whatsoever. The security model that does exist is based on digital signatures. This model involves a known authority that digitally signs an ActiveX control after the author states that the program is secure. There are no guarantees as to whether or not the program is actually secure. The only thing guaranteed is that the program cannot be modified after it has been signed.

Since ActiveX does not have much of a security model, ActiveX security can be easily exploited. A good example of such an exploit is the ActiveX control named Exploder. This signed ActiveX control performs a system shutdown of any Windows 95 system that downloads an HTML page containing it. Exploder was only written to show the lack of security in ActiveX and as a result was not malicious in intent. However, harmful ActiveX controls do exist. In February 1997 the Chaos Computer Club demonstrated an ActiveX control that could transfer money between a user's bank accounts without the user's knowledge and circumvent the normal password security system. This control, which can be downloaded and executed by an unsuspecting user, works by looking for the Quicken application on the user's computer and using it to perform bank account transfers.