In the wake of a controversy stirred by hackers who claimed they found a way to use ActiveX code to make bogus money transfers, Microsoft Corp. today announced the formation of a program to educate users about the security risks of executable code.
Microsoft officials, who hastened to point out that any executable content downloaded from the Internet carries a potential risk, whether it's a Java applet, an ActiveX control or a browser plug-in, said the Web Executable Security Advisor Program will help users identify and guard against security breaches.
The program includes regularly updated information available on Microsoft's Web site (www.microsoft.com/security/) and plans for interactive online discussions on the issue as well as a customer roundtable conference on security concerns about executable code.
"This issue is by no means tied exclusively to ActiveX," said Tod Nielsen, general manager of developer relations at Microsoft, in Redmond, Wash. Nielsen dismissed the contention of some developers that Java code bypasses security problems.
"The concept of a sandbox is great, but in order to build applications that users can use to save [historical data] such as checking account programs, you need to bypass the sandbox," Nielsen said. "This is not a Java-vs.-ActiveX thing. It's any executable."
Concern over the security of ActiveX code was heightened two weeks ago when a German hacker organization claimed it had changed the code into a tool to transfer funds from the bank accounts of PC users running financial software applications.
Microsoft maintains that users setting their browsers to "medium" or "high" security should be safe from the hacked ActiveX code, adding that users of its Authenticode technology can verify the origins of any ActiveX code they download.