ActiveMac - The Most Activated mac Resource

ActiveMac

User Controls

New User

Edit/View My Profile

ActiveMac

Articles

Forums

Links

News

News Search

Reviews

News Centers

Windows/Microsoft

DVD

ActiveHardware

Xbox

MaINTosh

News Search

ANet Chats

The Lobby

Special Events Room

Developer's Lounge

XBox Chat

FAQ's

Windows 98/98 SE

Windows 2000

Windows Me

Windows "Whistler" XP

Windows CE

Internet Explorer 6

Internet Explorer 5

Xbox

DirectX

DVD's

TopTechTips

Registry Tips

Windows 95/98

Windows 2000

Internet Explorer 4

Internet Explorer 5

Windows NT Tips

Program Tips

Easter Eggs

Hardware

DVD

Latest Reviews

Applications

Microsoft Windows XP Professional

Norton SystemWorks 2002

Hardware

Intel Personal Audio Player 3000

Microsoft Wireless IntelliMouse Explorer

Site News/Info

About This Site

Affiliates

ANet Forums

Default Home Page

Link To Us

Links

Member Pages

Site Search

Awards

Credits
�1997/2004, Active Network. All Rights Reserved.
Layout & Design by Designer Dream. Content written by the Active Network team. Please click here for full terms of use and restrictions or read our Privacy Statement.

Microsoft's blind spot

Time: 01:27 EST/06:27 GMT | News Source: CNET | Posted By: Todd Richardson

Over the years, many in the computer industry have found it all too easy to ignore security. It usually doesn't show up in product demos. Microsoft, in particular, has repeatedly plunged forward with a seductively simple yet dangerously powerful idea. In academia it's called "procedural attachment"--letting a program appear in place of data. Why do this? In a nutshell, programs are more versatile than data. So Microsoft built ActiveX, a technique within Windows for automatically downloading and executing arbitrary programs. And Microsoft put macros into its word processor, along with a technique for automatically executing a macro as soon as a document is opened. And Microsoft made it easy for an e-mail script to do almost anything

Write Comment
Return to News

Displaying 1 through 25 of 157
Last | Next

The time now is 6:23:57 PM ET.
Any comment problems? E-mail us

#1 By 2459 (66.25.124.8) at 2/8/2002 7:30:47 AM

Perfect example of why Sun employees shouldn't write articles about Microsoft.

#2 By 1124 (165.170.128.65) at 2/8/2002 9:10:02 AM

I agree n4cer!!!

#3 By 135 (209.180.28.6) at 2/8/2002 10:33:50 AM

Sun is obviously terrified of .Net, they are spreading the FUD hot and heavy.

I read the article and it has no technical merit. sun.com must be blocking access to msdn.microsoft.com so that their employees can claim ignorance when caught posting articles like this.

#4 By 2332 (129.21.145.80) at 2/8/2002 4:08:16 PM

#12 - Just because the author has "qualification" does not mean that the article itself has technical merit.

His opinions are driven by his hatred of Microsoft, and the fact that he has a lot to lose if Microsoft's technology becomes widely adopted. Argument "from authority" is a logical fallacy, especially in this case.

If you read the article, and judge it solely on its own merits, it has none. He uses misleading terminology, leaves out countless details, and makes faulty assumptions.

In short; it's worthless.

#5 By 2459 (66.25.124.8) at 2/8/2002 4:50:55 PM

#11 - WHAT? (In Stone Cold's Voice)

#12 - Having Degrees and experience in the computer industry doesn't mean he knows everything about the computer industry.

First, there is a clear conflict of interest in having an employee of a competitor, especially one as hostile as Sun, act as an authority on their competitors products and design decisions.
Second, a lot of the information in the article is misleading and opinionated, such as implying that ActiveX controls automatically execute code by default, or saying that the ability to write unmanaged code makes .NET languages/architecture less secure than Java. He even tries to use the C# Spec to make himself appear more authoritative, but if he actually understood .NET, he would understand that security was one of the main (if not the main) focuses of the design of .NET, and that the level of security (which is controlled by the End User/Administrator, as well as the developer) offered makes the chances of running malicious code on .NET much less than the chances of running malicious code on Java or other platforms.

This is basically just another attempt by Sun to attack Microsoft and lead people to believe that Sun's products are better and more secure. This isn't the first time Sun employees have been on ZD/CNet trying to discredit Microsoft and , more specifically, .NET. As many know, it's not the first time they have used the "unsafe code makes .NET less secure than Java" strategy either.

If anyone is interested, you can go to Sun's site, click on EXECUTIVES in the sidebar, and find comments by McNealy and other Sun employees on a regular basis where the subject is often Microsoft and/or one of there products. There are two sections, Executive Perspectives and Reality Check. Sun needs the Reality Check as most of the stuff they say about MS's products is simply untrue. Browse through these sections and see why Sun will continue to lag behind.

#6 By 2332 (129.21.145.80) at 2/8/2002 7:28:42 PM

#14 - "argumentum ad hominem is a fallacy too"

Very true, but only when the ad hominem attack has no relevance to the subject of the argument.

My ad hominem attact is an attempt to show his bias on the subject. I am saying that simply because an argument comes from a certain source does not make it true.

Conversely, simply because the argument comes from a potentially biased source does not make it false.

I don't have time right now to address the specific issues mentioned in the article, but I will soon.

#7 By 2332 (129.21.145.80) at 2/9/2002 4:32:31 AM

This is a two parter. PART ONE:

Ok, time to address the specifics of that article:

"So Microsoft built ActiveX, a technique within Windows for automatically downloading and executing arbitrary programs."

Actually, ActiveX is just a marketing term. For a really great overview of what all this COM, ActiveX, OLE, blah blah stuff is, check out Dan Appleman's "Developing COM/ActiveX Components with Visual Basic 6".

Basically, ActiveX is a fancy name for OLE, which evolved from DDE. OLE allows one OLE-happy application to communicate with another OLE-happy application. It, in and of itself, has nothing to do with downloading code or executing any kind of arbitrary application.

"But the company didn't worry about security, and guess what? One of the ways in which programs are more powerful than data is that they can be designed to replicate. That's the basic principle behind the computer virus. A Word macro can save itself to other files. An e-mail script can re-mail itself to everyone in your address book."

Ok, and that has nothing to do with ActiveX. Any executable can save itself into other executables as well. Any application has the exact same ability to replicate as a Word document with an embedded macro.

"But when the Internet exploded, Microsoft seemed ill-prepared to retrofit adequate security into its shaky software base."

Hmmm. When the Internet exploded, Microsoft was just about to roll out Windows NT, the first and only consumer OS designed from the ground up with security in mind.

"Microsoft has taken note of Java's success and responded with a language of its own called C#."

C# was not a response to Java. The Java "threat" was DOA. If Java had succeeded as a way of writing consumer applications that run on any OS, it would have threatened Windows. But that never happened because Java was a crippled platform that nobody wanted to use to write consumer applications, especially when 90%+ of the consumers were using Windows anyway.

Microsoft certainly learned from the mistakes the Java team made, but it's not an imitation by any means. At any rate, C# is simply a language... and one of the best parts about .NET is the fact that it's language independent. The CLR was designed (unlike JVM) from the ground up with both language interoperability and flexibility in mind. A book could (and has) been written about the CLR, and why it's so damn cool, so I'm not going to rehash it. The point is, Java is a far cry from .NET.

#8 By 2332 (129.21.145.80) at 2/9/2002 4:32:47 AM

PART TWO:

"But C# tries to encompass all the power of C as well as features borrowed from Java. And security cannot be added to an otherwise insecure language... But C# tries to encompass all the power of C as well as features borrowed from Java. And security cannot be added to an otherwise insecure language."

Actually, no, it's not. C is completely unmanaged. C# is 100% managed. If a C program has a buffer overflow, it is possible to not only crash the program, but insert baddie code directly into memory which will then be run by the CPU. If a C# program buffer overflows via unsafe code, the application with throw an exception and the CLR will terminate the program unless the exception is caught. It's as simple as that.

"Did they get their design right this time? I, for one, would bet against it. C# is already cast in stone as an ECMA standard. And only now has Microsoft decided to make security a priority."

Um, ok. Security in the .NET Framework was the #1 priority from day 1. Maybe Sun's a little peeved that Microsoft would submit its brainchild to be a standard, while Sun keeps its strangle hold on Java.

"Adding security to an existing, large insecure system will, in my judgment, prove an impossible task."

Ironically, that's exactly what Unix did, including BSD. Security for Unix was an after thought, but Unix is often touted as very secure... especially OpenBSD. Oh, and what about Java? Does Java add a layer of security to "large insecure systems"? It appears his judgment is a bit clouded.

The real issue here is the fact that the .NET Framework allows for the same kind of security model that Java uses (the sandbox), but an extensible and flexible model that lets administrators, developers, and users decided how code runs and with what permissions. Instead of a user-based security mode, it has a code-access security model.

In other words, if code comes from the Internet, it can be treated one way... but if that code comes from the Intranet, it can be treated another way.

This is the first major innovation in system security since access control lists, and is far superior to any other model currently being used. That, my friends, scares the hell out of Sun.

#9 By 2332 (129.21.145.80) at 2/9/2002 4:05:09 PM

#21 - I agree. Luckily, the only similarities in the way the .NET Framework and IE do security is in the naming conventions and interface.

#10 By 2332 (129.21.145.80) at 2/10/2002 4:02:00 PM

#23 - An Internet Explorer setting proves that ActiveX is a technology designed to download and execute arbitrary code? Wow... who's erroneous? ActiveX is about application interoperability. And how exactly are the rest of my points erroneous?

#24 - "Some of us know something about ActiveX because we've actually written controls. But maybe you're a young guy."

I've been writing Windows applications since 1995, and I've been developing COM and ActiveX applications since 1997. I don't really see how that article refutes anything I said. In fact, it provides evidence that what I said was perfectly correct.

ActiveX has nothing to do with downloading applications any more than a Java applet does.

"LOL - you guys must be from the Young Republicans & televangelist smile, dodge and dance school of debating. Next you'll say that the decision to move 1000 programmers onto IE and make it part of Windows was not a response to Netscape."

You need to learn some history. David Bank, a reporter from the WSJ, wrote an excellent book about Microsoft's 1994-2000 period. The book is called "Breaking Windows," so perhaps you would be willing to read it.

In it, he details the attitudes and motivations behind the decisions made during that time period, especially those surrounding Netscape and Sun. There was a huge battle between Alchin's Windows group and Silverberg's Internet group.

Many of the best programmers, as you say, moved from the Windows group to the Internet group, but the majority of those moves happened *after* Microsoft had gained 30% market share with IE 3.0. Microsoft considered the 30% market as the "holy grail," which if they reached it would spell the end of Netscape.

Eventually, Silverberg's group was actually considered the "internal Netscape" because of their insistence on open standards and making IE available for other platforms. Those decisions threatened Windows, and so Gates and Alchin made the decision to integrate IE with Windows - not because of Netscape, which was already defeated because of their own stupidity - but because IE itself was a threat to Windows.

As far as Java, you should read the e-mails that are publicly available from the anti-trust trials. Instead of getting your drivel from Slashdot, why not get it from the source? Microsoft was worried about Java for about a year. They feared that it would make it possible for people to use any platform they wanted to run any application they wanted.

During that year (or perhaps a little more... a year and a half), Microsoft decided to write their own JVM. Their JVM *supported the Java standard 100%*, but also added proprietary extensions (like COM support) which allowed developers to write Windows-specific applications in Java that had added functionality and ran about 5x faster.

Obviously, Sun didn't like this, so they sued Microsoft. There is some question about whether or not Microsoft actually violated their contract since the MS-JVM ran pure Java applications just fine. But there is not question that by the end of that year, Java was no longer a threat - not because of Microsoft - but because Java was an impotent client applications platform to begin with.

If you would care to refute any of my point with facts or evidence, please feel free. Until then, I will write off your ignorance to the possibility that "you're a young guy."

#11 By 2332 (129.21.145.80) at 2/10/2002 5:41:00 PM

#28 - First of all, I was addressing the term ActiveX, not ActiveX Controls. ActiveX - the technology - is exactly what I said it is.

ActiveX Controls are simply MS's version of a Java applet, but one that can really only be run in IE or another OLE container.

The point is, ActiveX, in and of itself, has *nothing* to do with downloading code and executing it.

#27 - MS's internal politics are very important when one talks about their motivations behind decisions. Microsoft's decision to bundle IE with Windows was a response to IE itself, not Netscape, as I've already mentioned. I'm not sure how IE being bundled with Windows helped it compete against Java, but I know that Microsoft stopped worrying about Java on the client many years ago.

If anything, you can say that .NET is a response, in some ways, to J2EE, which has been building up steam for several years. C#, in and of itself, is not a response to Java. It's a response to the miriad of VB and C++ programmers that desired a language that had the power of one, and the easy of use of another.

#12 By 2332 (129.21.145.80) at 2/11/2002 1:02:55 AM

#30 - "lack of proper direction in their lives"? Care to provide some?

#31 - Agreed.

#13 By 4240821 (45.149.82.86) at 10/25/2023 7:23:45 PM