decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.


To read comments to this article, go here
Firefox FUD is Born
Friday, January 28 2005 @ 01:27 AM EST

Unbelievably enough, a Jupiter analyst, Michael Gartenberg, has written an opinion piece which ComputerWorld, unbelievably enough, has printed, cautioning businesses that they might want to think twice about switching from IE to Firefox because "Firefox lacks the ability to run Microsoft ActiveX code."

[Groklaw jaws drop all over the world in unison]

You may think he was doing a parody for Onion, but I think he's serious. Yes, friends, I believe we are seeing the birth of the anti-Firefox FUD. Here's the man's so-called "opinion":

The reception that Firefox has received from consumers and the press might tempt business users to switch browsers, but there are some good reasons not to. Many mission-critical applications have been built on Internet Explorer, and most organizations don't have the budget or resources to recode them. In addition, PCs' application loads need to be properly tested to ensure that nothing breaks with the addition of a different browser. In the near term, many business users will be better served by keeping Internet Explorer and installing security updates as they're released. If they aren't dependent on Internet Explorer technology, however, some end users could use Firefox for their daily Web surfing while reserving Internet Explorer use for sites that require it. . . .

If Microsoft is spurred by Firefox's success to put more resources into Internet Explorer, it would help create a better experience for both businesses and consumers. That might even happen before Longhorn ships.

Well, FUD with a triple capital F generally meets with a Groklaw response, but before I could even warm up the engine, a Groklaw reader, Dr. Tony Young, did it for me.

Here is the email he sent to the analyst, which he has given me permission to share with you:

Dear Michael,

I read your article in Computerworld with great interest: http://www.computerworld.com/securitytopics/security/ story/0,10801,99142,00.html.

What I wish to say below may not be precisely what you intended, and I am not up with ActiveX because I simply don't use it or encounter it. I find Firefox opens any web sites I require and as far as I know perfectly. Also I do my internet banking with it...and that covers all my needs.

You are partially correct, but I think that you miss the ultimate point: the real problem is ActiveX and the fact that Microsoft's IE **automatically** runs such code. In other words, if you design a piece of software to run things it sees on the web automatically, then you invite every spam merchant, malware and spyware agency to flock to your computer and run while you are logged on as system administrator and candidly, you deserve everything you get. I find it amazing that Windows users seem to think that it is normal to invite such software to run on their machines without any hindrance given that anything can be concealed in that code. The results speak for themselves: hard boots, blue screens of death, reinstallations, update antiviral codes, time costs, etc. etc. You don't do that with Linux.

The whole point about Firefox is that it is separate from the OS and DOESN'T run ActiveX automatically. And I'd go further, pray heaven it never does !!!! And that is the essential difference between Microsoft's proprietary OS which is now haemmorhaging because of its poor security design because IE is part of its coding, and Linux or FOSS which has been designed WITH security in mind. You actually have to choose to run a piece of software...not be told by a proprietary OS that such and such a piece of software is going to run whether you like it or not.

And finally, as regards cost of transfer...Do please add up all the system admin costs of virus protection, reinstallations, patches and the time they take...and think....now really, Firefox wins hands down.

I think Business in general has now reached the stage where it has little choice. Abandon Windows or remain in an ever increasing whirlpool of costs, viruses and reboots. Either do it now with minimal costs, or watch your ultimate costs of transfer steadily increase, because sooner or later, it will have to be done. There is little doubt in the statement that if we could remove the Microsoft OS from the world's computers and the internet tonight, almost 100% of viruses and malware would disappear and we would have a secure, user-oriented system. Kind regards,

Dr. Tony Young

You can read about ActiveX in this chapter from an O'Reilly book, "Malicious Mobile Code", by Roger A. Grimes, on "Malicious ActiveX Controls". I strongly suggest any executive pondering whether or not to switch from IE to Firefox read this chapter and ask themselves if they want their business computers doing such things as IE permits. For the time-pressed, here is just one paragraph that ought to tell you all you need to know:

ActiveX's biggest problem is the way it incorrectly marks controls Safe for Scripting. Already used in several email worm attacks, these types of holes continue to appear. If Microsoft cannot correctly determine the safety and appropriateness of their own system controls, how can vendors be expected to? Following that problem is the growing use of unsigned code. The digital signing process is technical and expensive. Most ActiveX controls on the Web are unsigned. Many of those that are signed, are expired. I rarely come across a control that is signed and current. If ActiveX's security lives or dies on whether end-users correctly choose to trust or not trust unsigned controls to run, it appears doomed unless digital signing of code becomes widespread. If ActiveX controls become standardized across the world's web sites, as expected, we will surely see a rise in malicious code for ActiveX.

The book was written in 2001, so this is not a new problem. Here's a ComputerWorld article about an ActiveX flaw spreading viruses in 2000. And yes, there is an abundance of malicious code. Some call ActiveX viruses the most dangerous of all, because you can get them just by surfing the web. Here is Microsoft's patch for one IE ActiveX vulnerability, which allows someone to take over your computer if you visit a malicious web site, after which they can run any code they like on your computer. Do you think a spammer might enjoy that power?

For you businessmen who are not coders, what does it mean that if one of your employees visits a malicious website, any code can run on their computer? Well, actually it's *your* computer. Your business computer. This paper [PDF], says it means that worm writers who run the malicious website can then delete or change your files, your registry entries, and create other serious system damage:

ActiveX is a popular technology among virus, Trojan horse, worm, and malicious scriptwriters.

This is due to the combined popularity of the Windows platform, the rich feature set that Microsoft exposes with ActiveX, and the lack of a sandbox - a barrier between the control and the rest of your system that is employed by Java technology. For example, worm writers may use ActiveX because the popular corporate e-mail client, Microsoft Outlook, exposes an ActiveX interface for accessing the Outlook address book. ActiveX viruses can also delete files, registry entries, and create other serious system damage.

Add to this the ActiveX security model, which is dependent both on the Internet Explorer (IE) security settings and on digital signing, which prompts users to accept or reject each control. If IE is set to allow all ActiveX controls, the user never sees the digital signing prompt and they are at particularly high risk for viruses and other malicious scripts. With a number of costly ActiveX viruses and worms in recent history, system administrators may be reluctant to trust their users to enable ActiveX controls, and can even set IE to accept no controls

Of course, if the only safe way to run IE is to turn off ActiveX, then why not just use Firefox? That way, your employees don't have to be trusted to do right. And, according to Pest Patrol, there's "Hostile ActiveX (an ActiveX trojan that captures info from your machine or modifies your files.)" Think of what that can mean for your business, that an interloper can capture information from your machine and modify your files. Then the person can send that misinformation, as if from you. Talk about functionality.

As for waiting for Microsoft to fix things, here's a Risk Digest, Forum on Risks to the Public in Computers and Related Systems from 1997 on ActiveX vulnerabilities, a year after ActiveX was first released. That's the track record. As for their skills, here is what they thought would happen, back in 1996 when they first developed ActiveX:

Microsoft appears pretty confident that Authenticode will work to ensure no viruses will be downloaded by users, and if by some chance they are, the source of the virus would be traceable, thanks to the digital ID.

Right. It's a design issue. Here is how Panda Software describes ActiveX: "ActiveX technology, patented by Microsoft, allows online programs to be run on computers through Internet Explorer. It also allows users to open Word or Excel documents directly through the browser. . . " So yes, the Jupiter analyst is correct, if you don't finish the thought, that you do lose some functionality with ActiveX turned off. But is it functionality you want and can afford to allow your employees to have?

But, you say, I'll just tell my geeks to make sure my business is fully up-to-date and patched. Better read this first:

A couple of weeks ago, Aunty reported to you that Microsoft had announced a patch for their ActiveX security flaw.

However, today the anti-virus experts at GeCad Net are reporting that the patch distributed by Microsoft does not fully fix the flaw (and try saying that three times fast!)

The Register has a story on a security pow wow, sponsored by Microsoft, Messagelabs and the FBI, whereby several UK MPs will be flying to the US next month to meet with politicians and agencies here "to discuss information security". Here's some confirmation from the article that Dr. Young is correct:

Ed Gibson, FBI special agent and assistant legal attache of the US Embassy in London, said the get-together focuses on an important area of information security policy. "But for the viruses there would be no spam. That's why we see ever more virulent viruses," he told delegates this week at the Computer and Internet Crime Conference in London.

Stop and think of the implications of his remark, and then add in the fact that viruses on GNU/Linux systems are so rare. I am not saying they could never be written, but I have never had one in all the years I have used GNU/Linux software. Can you Windows folks say the same?

Microsoft, an expert on security? Think. I understand that naturally the FBI needs to work with Microsoft to try to solve their problems, because the operating system is in such widespread use. But the rest of you can contribute to the health of the Internet by just not using IE any more. At least turn off ActiveX, and that's just for starters. Just switching to Firefox would help.

Wine is software that emulates windows on a GNU/Linux system. The guys who run the Wine project decided to test if windows viruses can run under Wine. Here are the results -- essentially no -- and while they write their account in a very funny way, the virus problem is serious, and so is the spam problem, and I am quite serious in saying that I hope businesses do switch to Firefox, at a bare minimum, because people who use insecure products on the Internet impact the rest of us. If you guys would do your part, and stop enabling viruses, there would be no spam, according to the FBI. Think about it. Please.

If any of the rest of you wish to explain to the business community why this ComputerWorld article is inappropriate advice in your opinion, feel free to add your comments, with proof urls. Speak as you would to your boss, and just explain all about ActiveX, the alleged need to test PC's loads if you switch to Firefox, your own experiences with Microsoft's security patches, anything you wish to expound on that you can knowledgably discuss. That way, we can have a nice page you can point your boss to, if he asks you about this ComputerWorld FUD.


  View Printable Version


Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )