|
Java, JavaScript and ActiveX |
|
Dateline:
Toronto, ON, July 1997 What is Java, JavaScript and ActiveX? This is a question I frequently answer in courses. Well, this is a complex question, but let's take a superficial look. Sun's Java, Netscape's JavaScript, or Microsoft's ActiveX add live content to Web presentations, enabling Web pages to look and act like desktop applications. When your browser is running one of these programs, it comes alive with active content, going far beyond standard HTML. Java programs download from a server similar to a Web page. When they're received by your computer, your browser starts an interpreter that executes the program. Java restricts these programs to a sandbox where they can use the screen and computer power of your computer. Supposedly, they can't get to your files, or to other computers on your network. However, rogue Java applets can monopolize or exploit your system's resources in an annoying, inappropriate, or destructive manner, largely by consuming your computer's system resources. JavaScript, essentially a subset of Java, is a scripting language designed for use by non-programmers. Unlike Java, which requires a compiler to produce an executable program, JavaScript is written in text that remains on a Web page. It's hidden from view, but executes when someone accesses the page with a JavaScript-capable browser. In contrast to hostile Java applets, malevolent JavaScript code frequently poses a threat. Malicious JavaScripts can track you, read your files and directory listings, send file information back to a Web server, detect your e-mail address surreptitiously, or originate e-mail messages without your knowledge. ActiveX encapsulates programs for sending over the Internet. Unlike Java, ActiveX programs can access your computer's file system. Microsoft recognized users would balk at downloading programs that could erase their hard drives, so they developed Authenticode. When you're about to download an ActiveX control, Microsoft Internet Explorer displays a warning, and shows you the Authenticode certificate. Should the control have no certificate, you see a warning message. A certificate doesn't ensure the program is safe; it just says where it comes from. Malicious ActiveX control can read, modify, or delete any file on your computer, or insert a virus into your system. Should you disable ActiveX, Java and JavaScript? Empirically, there's no evidenceas yetthat anyone has suffered serious losses of data or privacy because of these features. But, they introduce new possibilities for attack and intrusion. Here, then, are some preliminary thoughts on controlling them.
As each revelation of Java, JavaScript and ActiveX flaws becomes known, vendors promptly develop and release fixes. The challenge then is to be aware of these flaws and their fixes. Of course, you should start by exploring Microsoft, Sun and Netscape. Also, surf on over to Princeton University, RST Corporation, Open Software Foundation, and Halcyon. You also might want to examine the FAQs at MIT, Sun, and PenceLand. Well there, that should get you started. |