The ActiveX Intrusion

(This column first appeared in the August 20, 1996 issue of PC Graphics Report)

Picture yourself about to enter the soft drink aisle of your local supermarket. The end cap display has Coca Cola, your normal brand of soda, so you pick up a six-pack. Pleased with not having to hunt through the shelves, you turn into the soft drink aisle to get to the cashier at the other end, only to be greeted by a major shopping cart and pedestrian traffic jam. Even worse, there are now people behind you, so you have no choice but to go forward.

Turns out the traffic jam and resulting chaos is the result of every imaginable vendor of soft drinks having set up a tasting table in the aisle, leaving little space for shoppers to pass. As if that weren’t bad enough, instead of serving samples in little one ounce tasting cups, the vendors adamantly insist that samplers must drink a full 12 ounce can. Why? The vendors say with only an ounce, consumers can’t possibly get a proper sense of how “wonderful” any given soft drink in question is, but 12 ounces should do the trick.

The final straw (pardon the pun) is that you can’t leave the aisle until you have sampled at least a half dozen of the hundreds of offerings there. And so, instead of just buying a six-pack of Coke for leisurely consumption, you’ve been forced to down the equivalent of a six-pack of soda you most likely didn’t care for beforehand, and certainly don’t now.

Where’s this scenario leading to?

Internet Explorer 3.0 (IE3), with a bunch of nice features (the “Coke” in my nightmare above), was officially released by Microsoft last week, and with it a flurry of press releases
offering support in the form of ActiveX controls (the 12 ounce soda samples).

Data Type Overload
As I expressed in my column last week, I think we’re on the verge of seeing a backlash by users against the onslaught of ActiveX controls and plug-ins, and this past week’s slew of announcements further enforces that notion. In the table below you’ll find a list of new Internet Explorer 3.0 ActiveX controls dealing with graphics and audio I compiled by searching the Web and perusing recent press releases.

Company ActiveX Control Control Type Web address
Adobe Acrobat Reader DTP http://www.adobe.com
Astound WebMotion & WebPlayer multimedia http://www.astound.com
Autodesk Whip! drawing viewer http://www.autodesk.com
Black Diamond Surround Video panoramic viewer http://www.bdiamond.com
Cornerstone Imaging ISIS imaging scanning http://www.corimage.com
Dimension X Liquid Motion Java animation http://www.dimensionx.com
Ephyx V-Active interactive Video http://www.ephyx.com
FutureWave Software FutureSplash custom animation http://www.futurewave.com
ichat ichat chatting http://www.ichat.com
INFInet Op Lightning Strike wavelet based image CODEC http://www.infinop.com
Macromedia Shockwave multimedia http://www.macromedia.com
mBED Software mBED multimedia http://www.mbed.com
Mediamatics MPEG-1 MPEG-1 player http://www.mediamatics.com
Micrographx QuickSilver presentation graphics http://www.micrographx.com
Microsoft VRML VRML 1.0 viewer http://www.microsoft.com
Softoholics OGL OpenGL access http://www.enet.ca/softoholic/
Superscape Viscape 3D viewer http://www.superscape.com
Tegosoft 3D Virtual Reality 2D to 3D converter http://www.tegosoft.com
Template Graphics Software Visual 3Space VRML/3D viewer http://www.tgs.com
Totally Hip Sizzler custom streaming animation http://www.totallyhip.com
Tumbleweed Software Envoy DTP http://www.tumbleweed.com
VDOnet VDOLive! streaming video http://www.vdo.net
VREAM WIRL VRML browser http://www.vream.com

Of the 23 ActiveX controls, only the ones from Macromedia and Mediamatics are actually being shipped as part of Internet Explorer 3.0. A small number of the controls listed support open, widely supported standards, and the remaining majority focus on promoting proprietary file formats, which are created by products sold by the providers of the ActiveX controls. Seems like this might be a good time for companies to get together and create some industry standard file formats which support all their extensions, much in the way everyone involved in the VRML 2.0 effort has done.

Oh, and if you’re a Netscape Navigator user, don’t despair that you’re missing out on the whole ActiveX madness. NCompass, a Canadian company, has developed a Netscape Plug-In which will let Navigator users punish themselves by allowing Navigator to run all the same ActiveX controls that IE3 users have access to. NCompass and their ActiveX plug-ins can be found at http://www.ncompasslabs.com.

Being Protected From One’s Self
Ironically enough, had I been searching for a more complete list of ActiveX controls just a week prior, I would have found a list exceeding 100 on Microsoft’s own Web site (at <a HREF=”http://www.microsoft.com/activex/gallery/gallery.htm”>http://www.microsoft.com/activex/gallery/gallery.htm</a>. But now, they’ve been taken off by Microsoft, and replaced by a message which includes the following excerpt:

“If you’ve visited the gallery before, you’ll remember it contained over 100 controls from over 30 companies. Now you’ll find only 12 controls from Microsoft. So where have all the controls gone? Well, now that the Internet Explorer 3.0 final release is out, we’ve asked our partners to digitally sign their controls for safe downloading, and we’ve temporarily pulled the controls while the code-signing takes place. We’ll be adding the controls back in after they’ve been signed, so please check back!”

Now, let’s take a look at what the above message actually means. By “digitally sign,” Microsoft’s note refers to the new Authenticode process Microsoft has instituted to protect us from ActiveX borne viruses. This process requires a digital ID from companies known as Certificate Authorities (the two that are mentioned are from VeriSign and GTE). The  digital ID is used to encrypt a “certificate” which becomes part of the ActiveX control. When IE3 detects the need for an ActiveX module and attempts to load it, it first checks for the Authenticode header.

If an Authenticode header is found, a digital “certificate” is displayed, allowing the user to determine if he/she wants to install that module. The certificate also displays the name of the software company which owns the header (and presumably the ActiveX control), as well as the name and Web link for the Certificate Authority. The user is also presented with the option to ignore all further certificates (i.e. automatically download and use all future code) from either the software company or the listed certificate authority or both.

If an Authenticode header isn’t found, IE3 posts a warning noting the “component has not been digitally ‘signed’ by its publisher. It may contain viruses or otherwise harm your computer,” and asks the user if he/she wants to continue anyway.

Microsoft appears pretty confident that Authenticode will work to ensure no viruses will be downloaded by users, and if by some chance they are, the source of the virus would be traceable, thanks to the digital ID. They also make the point that if a user chooses to ignore a lack of Authenticode in modules they download, they do so at their own risk. Microsoft’s virus note will certainly dissuade the meek, and is surely intended to encourage all software developers to obtain a digital ID.

I seriously doubt that the digital IDs are fool proof, and think that soon enough some hacker out there somewhere will figure out how to fake an Authenticode header and distribute all sorts of nasty viruses, just to prove a point. That’s in addition to the real threat of dormant viruses already having been planted in existing software which has been downloaded and installed on existing systems. My faith in Authenticode, both technically and conceptually, isn’t very strong.

Obtaining A Digital ID
Big brother is alive and well in Redmond. For a software developer to obtain a digital ID from Microsoft’s Authenticode partners, the developer has to provide financial information, in theory so that a user can be assured the developer is reputable, established, and will be around if you need to sue him for the damage his accidentally introduced virus caused. It also costs money to get a digital ID—not much, but multiplied over the thousands of Microsoft ISVs it adds up to a pretty bundle.

Keep in mind if you want to provide users with some sort of ActiveX control now, and want to avoid having users panic when they are warned about potential viruses, you’re going to have to get yourself and/or your company certified.

Here are the details I pulled off VeriSign’s Web site (http://digitalid.verisign.com) on the matter:

Based on Microsoft code signing program criteria, VeriSign will attempt to verify that your company meets a minimum financial stability level using ratings from Dun & Bradstreet Financial Services. Your certificate will indicate if you have met this level. Some software, such as the Microsoft Internet Explorer 3.0, offers end users an option to bypass making an explicit choice to trust code from each new software publisher. If an end user checks an option to trust all software signed by vendors who have met the financial criteria, code signed by these vendors will be run without any user intervention.

Pricing of Digital IDs for Software Validation:

Class 2 Digital ID for Validating Software: $20 annually [for Individual Software Publishers]

Class 3 Digital ID for Validating Software: $400 annually [for Commerical Software Publishers, i.e. companies]

You will need Microsoft Internet Explorer 3.0 build 1117 (beta 2) or build 1154 or later to apply for your credentials and view your signed software.

You will need the following information during the enrollment process:

Individual Software Publishers Commercial Software Publishers
• Your name, address, and e-mail address
• Date of birth
• Social Security Number
• Previous address (if you have moved in the past 2 years)
• Credit card information for billing
• Company name and location
• Your name, address, e-mail, phone, and fax
• information for a technical contact and an
• organizational contact
• Your company’s DUNS number, if any
• Billing information (credit card, P.O. or check), and billing contact information, if any

Sounds very much like applying for a credit card. It’s uncertain whether Microsoft gets a copy of this private information, but it’s invasive in any event. I’m sure that at least a list of certified developers will be provided to Microsoft, so the company can further toot its own horn about how popular ActiveX is.

In case you hadn’t noticed, the whole digital ID process is also very U.S.-centric, especially for the Individual Software Publishers. I guess if you’re a non-U.S.-based developer of software, you’re out of luck for now.

Of course, I’m sure all those companies who were thrilled to be listed in Microsoft’s ActiveX Gallery earlier and just got de-listed are feeling pretty up tight right now that Microsoft is forcing them to authenticode their code before allowing them to be listed. I question why this didn’t happen weeks ago so these companies would be able to share in the official IE3 roll-out being listed on the site. The answer is either Microsoft just barely got their act together, or they intentionally wanted to send a strong message that in order to play with Microsoft, companies need to do what Microsoft wants them to.

Microsoft Marketing Machine
And, speaking of what Microsoft wants you to do…

Microsoft, the company that recently chided Netscape for not adhering to industry accepted standards, has struck several exclusive deals with leading Web sites to promote how wonderful IE3 is. Oddly enough, the deals standards-obsessed Microsoft has struck requires IE3 to be used (much as you need IE3 to obtain a Digital ID for use with Authenticode). If you use Netscape Navigator or another Web browser on these sites, you either don’t see the special IE3-only portion of the site, or you get a Web page that insults your intelligence for daring to use a browser other than IE3.

The Web sites Microsoft has this “special” relationship with include ESPNET SportsZone, Hollywood Online, InvestorsEdge.com, MicroWarehouse, MTV Online, Riddler.com, Yahoo!, and The Wall Street Journal Interactive Edition.

Microsoft must have dangled a pretty nice carrot to have these organizations potentially alienate 80%+ of the Web surfing market which doesn’t use any form of Microsoft Web browser, and hasn’t, at least for the last several months, shown any urge to do so.

Conclusion
Believe it or not, it really bothers me to rant about Microsoft and their monopolistic, strong-arm tendencies. But, they keep insisting on giving me such great ammunition for my columns…

Anyhow, the list of graphical and audio ActiveX controls I listed at the beginning of this week’s column is only the tip of the iceberg. Expect to see another several dozen proprietary viewers of graphical, audio, and multimedia content before the end of the year, thus creating more chaos, confusion, and clamoring for the attention of users who just want to stick with whatever they already have. In other words, go home with their favorite six-pack of soda, and leave the others behind.