Sarasota PC Monitor
Tech Talk (05/04)
Java and Active X
by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.You have seen references to JAVA and/or ActiveX during your browsing of the web. Or possibly, in an error message when you tried to access a web page. So what are they and what do they do? Even more importantly, are there any security problems associated with them?
From the simplest standpoint, JAVA is a programming language and ActiveX is a set of rules for how programs should share information. ActiveX controls can be written in a number of programming or scripting languages. Now before your eyes glaze over, let me say I'm not going to discuss how to program in either one of them. I would just like to point out some of the ways they are used. There are also some security considerations when you are browsing the web.
Let's start with Java which is the oldest of the two and is a product of Sun Microsystems. Java is designed for the development of small, fast running programs, frequently referred to as "applets". Programs written in Java or JavaScript are not converted directly into binary machine language as are other programs written in C++ or other high level languages. Instead it is converted into machine language, on the fly, from "byte-codes" that are read by an interpreter program. In other words, it is only converted at the time the program is run. Thus a run-time module called a Virtual Machine (VM) must be installed on the computer before a Java program can be run. This VM is different for each different operating system environment. In other words, a VM for a Macintosh is different from that used on a Window computer or a Linux computer or an IBM mainframe. However, the same Java program can run in any of these environments. That makes the program platform independent. It also makes it very useful as an addition to the HTML program used for designing web pages. Web pages are not only accessed by many different types of computers but the Internet itself is a collection of non-homogenous computers. I should also point out that Microsoft does include a Java VM in Windows. However, it is their version and may not run all true Java code.
So what can be done with a Java program? Just about anything, except writing to your hard disk or to areas of RAM that need to be kept secure. For example, you visit a web page that has a picture of some item you are interested in purchasing and a caption says "click for larger view". When you click on the caption the response may be an activation of either a Java applet or an ActiveX control which downloads a larger picture to your computer. Similar components are activated when you use the Shockwave Flash Player from Macromedia. Other actions that can be carried out by these applets include ad banners, timers, visitor counters, file sorting, playing an audio or video recording, etc. The possibilities are really unlimited.
Given that you may never be aware of the action of a Java applet, is there a security risk for your computer? Java was designed to run only in a secured environment, referred to as a "sandbox". The Java VM has a built-in security manager that verifies the Java code is formatted correctly and that it follows the good behavior rules, During this process, the verifier applies a theorem-prover algorithm that "proves" that there is no violation of access restrictions. It also prevents uncontrolled input/output (I/O) to disk, memory, the video display memory or even the network that would constitute a serious breach of security. As long as there is no breakdown in the security provided by the VM application, your computer can't be harmed by malicious code inserted into a web page. However, there are newer additions to the Java system that can create problems.
The original Java version of the "sandbox" has been considered too restrictive mainly because of its I/O restrictions. Some products that are Java-enabled are using "digital signatures" to work around this problem. If you trust the digital signature and run the program you give the program more power than it would otherwise have. You may have come across the window that asks if you want to download and run a digitally signed program. The window will also ask if you always want to trust programs from that source. As long as the author is reliable and the digital signature is not faked, you won't have a problem. However, if you are using Internet Explorer, you may not be given the option to accept or decline the applet. This is especially true with ActiveX controls.
Now on to ActiveX. This is the system that was designed and implemented by Microsoft. All Internet Explorer browsers since version 4.0 have been designed to work with ActiveX controls. ActiveX controls can be written in any programming language, therefore they can be much more powerful than Java applets. They can write to your hard disk, video, ram memory or they can actually start-up applications on your computer. There are free ActiveX components available on the web that can make changes to your registry. As with Java, ActiveX controls are very easy to add to any web page. ActiveX controls are fully converted to machine language before being attached to a web page. They do not run in a secure environment like Java applets. However, they are supposed to be digitally signed and the user is supposed to decide if the author is trustworthy. If your browser is set to automatically accept ActiveX controls, you will never be asked if you want to accept the control.
So, are there security problems related to ActiveX and Java controls attached to the web pages you visit? Absolutely! If any of you remember the article I wrote in the March 2003 SPCUG Monitor on parasites you will be familiar with the problems that these controls can create. Drive-by downloads, ad parasites, and the other undesirable spyware/adware are frequently placed on your computer by ActiveX controls. The after the fact control for these problems are Spybot and SpywareBlaster. SpywareBlaster and the immunization features of Spybot can block the ActiveX controls that place entries in your registry.
There is another option to reduce the possibility of problem controls being installed on your computer. If you use Internet Explorer you can change the security settings to prevent the automatic download of ActiveX controls. To do this, open IE and select Tools from the main menu. Then select "Internet Options" and click on the Security tab. Next, click on the "Custom Level" button. Use all of the following recommended settings that you can find:
* download signed Active X controls:
disable or prompt* download unsigned ActiveX controls:
disable or prompt* initialize and script ActiveX controls not marked as safe:
disable or prompt* run ActiveX controls and plug-ins:
disable or prompt* script ActiveX controls marked safe for scripting:
disable or prompt* downloads:
Enable* font download:
prompt* access data sources across domains:
prompt* allow META REFRESH:
enable* display mixed content:
prompt* don't prompt for client certificate selection:
disable* drag and drop or copy and paste files:
prompt* installation of desktop items:
prompt* allow cookies that are stored on your computer:
disable* allow per-session cookies (not stored):
enable* Java permissions:
High safety* Launching programs and files in an IFRAME:
disable or prompt* Software channel permissions:
high safety* Navigate sub-frames across different domains:
disable or prompt* Submit non-encrypted form data:
disable or prompt* User data persistence:
disable* Active scripting:
disable or prompt* Allow paste operations via script:
disable or prompt* Scripting of Java applets:
disable or prompt* Logon: automatic logon only in Intranet zone
If you are using Opera or Mozilla as a browser, then you need to look at the Preferences settings and block pop-up windows. You may also be able to prevent images from loading that come from other than the originating server. In general, Mozilla and Opera tend to be more secure than IE.
Both JAVA and ActiveX have contributed to the improvement of the web browsing experience. However, this has been done at some cost in terms of security. You need to be aware of these problems and how to overcome them. If you have any doubts about an unsigned or digitally signed, ActiveX control, just don't accept it.
I hope this article has shed a little light on the ActiveX and Java controls that your browser supports. :
*Dr. Lewis is a former university & medical school professor. He has been working with personal computers for more than thirty years. He can be reached via e-mail at bwsail@yahoo.com or voice mail at 941/925-3047. :
Copyright 2004. This article is from the May 2004 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org/ Web: http://www.spcug.org/The Sarasota Personal Computer Users Group, Inc. has 1,100+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.
See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.