Chapter 12. Mobile Code I:Plug-Ins, ActiveX,and Visual Basic

Chapter 12. Mobile Code I:Plug-Ins, ActiveX,and Visual Basic

Web browsers are amazing technology, but from the very birth of the World Wide Web, they have never provided enough functionality for web developers. Browsers, after all, are static programs: a browser can only display so many types of information in so many ways. For this reason, from the start, web developers have looked for ways to augment the functionality of browsers by asking users to download and run additional programs. Sun, Microsoft, and Netscape have further developed technologies for automatically downloading and running programs on demand. Programs that move in this fashion are frequently called mobile code.

Most mobile code behaves as expected. But it doesn't have to. Many programs have bugs in them: running them will occasionally cause your computer to crash. Some programs are downright malicious; they might erase all of the information on your computer's disk, plant a virus, or seek out confidential information stored on your computer and transmit it to a secret location on the Internet. And some companies have used active content to learn the email addresses or browsing history of people who thought that they were anonymously browsing a web site.

Thus, the purveyors of mobile code systems have had to walk a tightrope. They've had to design systems that have tangible benefits for both web publishers and users, while simultaneously limiting the malicious damage that these systems can create. This balance has been tremendously difficult to achieve. All of the mobile code schemes discussed in this chapter have suffered security lapses that would allow a malicious web operator to download programs that could then install viruses or reformat the hard disks of anyone who visited the hostile web site or received the hostile code by email.

Although the majority of mobile code security problems have been quickly fixed, other structural flaws remain. If you are working in a high-security environment, your safest bet is to disable active content technologies and avoid downloading new programs unless the new programs specifically correct a security problem with an application that you have already installed.