Unbelievably enough, a Jupiter analyst, Michael Gartenberg, has written an opinion piece which ComputerWorld, unbelievably enough, has printed, cautioning businesses that they might want to think twice about switching from IE to Firefox because "Firefox lacks the ability to run Microsoft ActiveX code."
[Groklaw jaws drop all over the world in unison]
You may think he was doing a parody for Onion, but I think he's serious. Yes, friends, I believe we are seeing the birth of the anti-Firefox FUD. Here's the man's so-called "opinion":
The reception that Firefox has received from consumers and the press might tempt business users to switch browsers, but there are some good reasons not to. Many mission-critical applications have been built on Internet Explorer, and most organizations don't have the budget or resources to recode them. In addition, PCs' application loads need to be properly tested to ensure that nothing breaks with the addition of a different browser. In the near term, many business users will be better served by keeping Internet Explorer and installing security updates as they're released. If they aren't dependent on Internet Explorer technology, however, some end users could use Firefox for their daily Web surfing while reserving Internet Explorer use for sites that require it. . . .
If Microsoft is spurred by Firefox's success to put more resources into Internet Explorer, it would help create a better experience for both businesses and consumers. That might even happen before Longhorn ships.
Well, FUD with a triple capital F generally meets with a Groklaw response, but before I could even warm up the engine, a Groklaw reader, Dr. Tony Young, did it for me.
Here is the email he sent to the analyst, which he has given me permission to share with you:
I read your article in Computerworld with great interest:
What I wish to say below may not be precisely what you intended, and I am not
up with ActiveX because I simply don't use it or encounter it. I find
Firefox opens any web sites I require and as far as I know perfectly. Also I
do my internet banking with it...and that covers all my needs.
You are partially correct, but I think that you miss the ultimate point: the
real problem is ActiveX and the fact that Microsoft's IE **automatically**
runs such code. In other words, if you design a piece of software to run
things it sees on the web automatically, then you invite every spam merchant,
malware and spyware agency to flock to your computer and run while you are
logged on as system administrator and candidly, you deserve everything you
get. I find it amazing that Windows users seem to think that it is normal
to invite such software to run on their machines without any hindrance given
that anything can be concealed in that code. The results speak for
themselves: hard boots, blue screens of death, reinstallations, update
antiviral codes, time costs, etc. etc. You don't do that with Linux.
The whole point about Firefox is that it is separate from the OS and
DOESN'T run ActiveX automatically. And I'd go further, pray heaven it
never does !!!! And that is the essential difference between
Microsoft's proprietary OS which is now haemmorhaging because of its poor
security design because IE is part of its coding, and Linux or FOSS which has
been designed WITH security in mind. You actually have to choose to run a
piece of software...not be told by a proprietary OS that such and such a
piece of software is going to run whether you like it or not.
And finally, as regards cost of transfer...Do please add up all the system
admin costs of virus protection, reinstallations, patches and the time they
take...and think....now really, Firefox wins hands down.
I think Business in general has now reached the stage where it has little
choice. Abandon Windows or remain in an ever increasing whirlpool of costs,
viruses and reboots. Either do it now with minimal costs, or watch your
ultimate costs of transfer steadily increase, because sooner or later,
it will have to be done. There is little doubt in the statement that if we
could remove the Microsoft OS from the world's computers and the internet
tonight, almost 100% of viruses and malware would disappear and we would have
a secure, user-oriented system.
Dr. Tony Young
You can read about ActiveX in this chapter from an O'Reilly book, "Malicious Mobile Code", by Roger A. Grimes, on "Malicious ActiveX Controls". I strongly suggest any executive pondering whether or not to switch from IE to Firefox read this chapter and ask themselves if they want their business computers doing such things as IE permits. For the time-pressed, here is just one paragraph that ought to tell you all you need to know:
ActiveX's biggest problem is the way it incorrectly marks controls Safe for Scripting. Already used in several email worm attacks, these types of holes continue to appear. If Microsoft cannot correctly determine the safety and appropriateness of their own system controls, how can vendors be expected to? Following that problem is the growing use of unsigned code. The digital signing process is technical and expensive. Most ActiveX controls on the Web are unsigned. Many of those that are signed, are expired. I rarely come across a control that is signed and current. If ActiveX's security lives or dies on whether end-users correctly choose to trust or not trust unsigned controls to run, it appears doomed unless digital signing of code becomes widespread. If ActiveX controls become standardized across the world's web sites, as expected, we will surely see a rise in malicious code for ActiveX.
The book was written in 2001, so this is not a new problem. Here's a ComputerWorld article about an ActiveX flaw spreading viruses in 2000. And yes, there is an abundance of malicious code. Some call ActiveX viruses the most dangerous of all, because you can get them just by surfing the web.
Here is Microsoft's patch for one IE ActiveX vulnerability, which allows someone to take over your computer if you visit a malicious web site, after which they can run any code they like on your computer. Do you think a spammer might enjoy that power?
For you businessmen who are not coders, what does it mean that if one of your employees visits a malicious website, any code can run on their computer? Well, actually it's *your* computer. Your business computer. This paper [PDF], says it means that worm writers who run the malicious website can then delete or change your files, your registry
entries, and create other serious system damage:
ActiveX is a popular technology among virus, Trojan horse, worm, and malicious scriptwriters.
This is due to the combined popularity of the Windows platform, the rich feature set that
Microsoft exposes with ActiveX, and the lack of a sandbox - a barrier between the control and the
rest of your system that is employed by Java technology. For example, worm writers may use
ActiveX because the popular corporate e-mail client, Microsoft Outlook, exposes an ActiveX
interface for accessing the Outlook address book. ActiveX viruses can also delete files, registry
entries, and create other serious system damage.
Add to this the ActiveX security model, which is dependent both on the Internet Explorer (IE)
security settings and on digital signing, which prompts users to accept or reject each control. If
IE is set to allow all ActiveX controls, the user never sees the digital signing prompt and they are
at particularly high risk for viruses and other malicious scripts. With a number of costly ActiveX
viruses and worms in recent history, system administrators may be reluctant to trust their users to
enable ActiveX controls, and can even set IE to accept no controls
Of course, if the only safe way to run IE is to turn off ActiveX, then why not just use Firefox? That way, your employees don't have to be trusted to do right. And, according to Pest Patrol, there's "Hostile ActiveX (an ActiveX trojan that captures info from your machine or modifies your files.)" Think of what that can mean for your business, that an interloper can capture information from your machine and modify your files. Then the person can send that misinformation, as if from you. Talk about functionality.
As for waiting for Microsoft to fix things, here's a Risk Digest, Forum on Risks to the Public in Computers and Related Systems from 1997 on ActiveX vulnerabilities, a year after ActiveX was first released. That's the track record. As for their skills, here is what they thought would happen, back in 1996 when they first developed ActiveX:
Microsoft appears pretty confident that Authenticode will work to ensure no viruses will be downloaded by users, and if by some chance they are, the source of the virus would be traceable, thanks to the digital ID.
It's a design issue. Here is how Panda Software describes ActiveX: "ActiveX technology, patented by Microsoft, allows online programs to be run on computers through Internet Explorer. It also allows users to open Word or Excel documents directly through the browser. . . " So yes, the Jupiter analyst is correct, if you don't finish the thought, that you do lose some functionality with ActiveX turned off. But is it functionality you want and can afford to allow your employees to have?
But, you say, I'll just tell my geeks to make sure my business is fully up-to-date and patched. Better read this first:
A couple of weeks ago, Aunty reported to you that Microsoft had announced a patch for their ActiveX security flaw.
However, today the anti-virus experts at GeCad Net are reporting that the patch distributed by Microsoft does not fully fix the flaw (and try saying that three times fast!)
The Register has a story on a security pow wow, sponsored by Microsoft, Messagelabs and the FBI, whereby several UK MPs will be flying to the US next month to meet with politicians and agencies here "to discuss information security". Here's some confirmation from the article that Dr. Young is correct:
Ed Gibson, FBI special agent and assistant legal attache of the US Embassy in London, said the get-together focuses on an important area of information security policy. "But for the viruses there would be no spam. That's why we see ever more virulent viruses," he told delegates this week at the Computer and Internet Crime Conference in London.
Stop and think of the implications of his remark, and then add in the fact that viruses on GNU/Linux systems are so rare. I am not saying they could never be written, but I have never had one in all the years I have used GNU/Linux software. Can you Windows folks say the same?
Microsoft, an expert on security? Think. I understand that naturally the FBI needs to work with Microsoft to try to solve their problems, because the operating system is in such widespread use. But the rest of you can contribute to the health of the Internet by just not using IE any more. At least turn off ActiveX, and that's just for starters. Just switching to Firefox would help.
Wine is software that emulates windows on a GNU/Linux system.
The guys who run the Wine project decided to test if windows viruses can run
under Wine. Here are the results -- essentially no -- and while they write their account in a very funny way, the virus problem is serious, and so is the spam problem, and I am quite serious in saying that I hope businesses do switch to Firefox, at a bare minimum, because people who use insecure products on the Internet impact the rest of us. If you guys would do your part, and stop enabling viruses, there would be no spam, according to the FBI. Think about it. Please.
If any of the rest of you wish to explain to the business community why this ComputerWorld article is inappropriate advice in your opinion, feel free to add your comments, with proof urls. Speak as you would to your boss, and just explain all about ActiveX, the alleged need to test PC's loads if you switch to Firefox, your own experiences with Microsoft's security patches, anything you wish to expound on that you can knowledgably discuss. That way, we can have a nice page you can point your boss to, if he asks you about this ComputerWorld FUD.