PDA Logo.gif (6595 bytes)

Java, JavaScript and ActiveX


our services

about Peter Davis+Assoc.


security/audit info

Privacy Test

Security and Audit Tools


Windows NT Server IIS

Windows 95


Java, JavaScript and ActiveX

Intrusion Detection Systems

Security Industry Shakeout

Securing Groupware

Client/Server Audit: One Bite At A Time

Configuring Cisco Denial of Service Security Features - Part 1

Configuring Cisco Denial of Service Security Features - Part 2

Configuring Cisco Lock-and-Key

Configuring Cisco Reflexive Access Lists

Dysfunctional Controls: Useless, Impractical, Inefficient and Poorly-Designed

TCPA: Who Can You Trust?

When Getting the Audit Done Is the Only Thing

Palladium: Friend or Foe?

Commentary: Quis Custodiet Ipsos Custodes?

Data Management: Data Destruction and Preservation

Security and Audit Products
Top Ten Security Links 
Security and Audit Checklists
Computer & Security
Security & Audit Bibliography
Search Page

legal info

privacy info

Dateline: Toronto, ON, July 1997

What is Java, JavaScript and ActiveX? This is a question I frequently answer in courses. Well, this is a complex question, but let's take a superficial look.

Sun's Java, Netscape's JavaScript, or Microsoft's ActiveX add live content to Web presentations, enabling Web pages to look and act like desktop applications. When your browser is running one of these programs, it comes alive with active content, going far beyond standard HTML.

Java programs download from a server similar to a Web page. When they're received by your computer, your browser starts an interpreter that executes the program. Java restricts these programs to a sandbox where they can use the screen and computer power of your computer. Supposedly, they can't get to your files, or to other computers on your network.

However, rogue Java applets can monopolize or exploit your system's resources in an annoying, inappropriate, or destructive manner, largely by consuming your computer's system resources.

JavaScript, essentially a subset of Java, is a scripting language designed for use by non-programmers. Unlike Java, which requires a compiler to produce an executable program, JavaScript is written in text that remains on a Web page. It's hidden from view, but executes when someone accesses the page with a JavaScript-capable browser.

In contrast to hostile Java applets, malevolent JavaScript code frequently poses a threat. Malicious JavaScripts can track you, read your files and directory listings, send file information back to a Web server, detect your e-mail address surreptitiously, or originate e-mail messages without your knowledge.

ActiveX encapsulates programs for sending over the Internet. Unlike Java, ActiveX programs can access your computer's file system. Microsoft recognized users would balk at downloading programs that could erase their hard drives, so they developed Authenticode. When you're about to download an ActiveX control, Microsoft Internet Explorer displays a warning, and shows you the Authenticode certificate. Should the control have no certificate, you see a warning message. A certificate doesn't ensure the program is safe; it just says where it comes from.

Malicious ActiveX control can read, modify, or delete any file on your computer, or insert a virus into your system.

Should you disable ActiveX, Java and JavaScript? Empirically, there's no evidence—as yet—that anyone has suffered serious losses of data or privacy because of these features. But, they introduce new possibilities for attack and intrusion. Here, then, are some preliminary thoughts on controlling them.

  • Choose Help | About Internet Explorer or Help | About Netscape to verify the version you're using. If you're still using Internet Explorer 3.0 or any version of Netscape 2.0, upgrade to the latest version.

  • Avoid beta versions of any Web browser. Besides the obvious risk that these untested programs might crash your system, they also might contain security flaws.

  • If you're using Netscape 3.0, choose Options Security Preferences, click the General tab, and enable the Submitting a Form Insecurely option. Then Netscape will display a confirmation box before sending e-mail, so you can prevent an e-mail message from being sent without your knowledge.

  • As JavaSoft's documentation suggests , you "must be wary of executing any code that comes from untrusted sources." Use Netscape's new Communicator to set preferences allowing you to authenticate Java applets. If you're using Microsoft Internet Explorer 3.0, set the security level to High. This ensures no active content is downloaded without your approval. To set the safety level to High: Choose View Options, and click the Security tab. From the Active Content area, click the Safety Level button, click High, and then click OK until you see Internet Explorer again.

  • To disable Java, JavaScript, or both: From the Options menu, choose Network Preferences, click the Languages tab, deselect the Enable Java and Enable JavaScript check boxes, and click OK.

  • To disable Java, JavaScript, and ActiveX in Internet Explorer 3.0: Choose View Options and click the Security tab and deselect all options from the Active Content area.

As each revelation of Java, JavaScript and ActiveX flaws becomes known, vendors promptly develop and release fixes. The challenge then is to be aware of these flaws and their fixes. Of course, you should start by exploring Microsoft, Sun and Netscape. Also, surf on over to Princeton University, RST Corporation, Open Software Foundation, and Halcyon. You also might want to examine the FAQs at MIT, Sun, and PenceLand. Well there, that should get you started.

Tell a friend about this page!
Their Name:
Their Email:
Your Name:
Your Email: