Staff Writer, CNET News.com
While security experts applaud Microsoft's recently released Service Pack 2, some companies that distribute their software over the Web are watching the product's introduction with dread and suspicion.
For years, software developers have offered applications to the world in Microsoft's Internet Explorer Web browser through the company's powerful proprietary API (application programming interface) called ActiveX. The technology starts up external applications, or "plug-ins," within a Web page.
But a tool that can run good software in a browser can also run bad software, and as a result ActiveX has been implicated in a wide array of , most recently in the surreptitious installation of adware, spyware and worse.
Microsoft's Service Pack 2, the security-focused update for the Windows operating system released this month, clipped ActiveX's wings with a more cautious alert system that springs into action when a Web site tries to run an ActiveX control, sprout a pop-up window or run other code.
In the past, IE prompted users with a simple "yes" or "no" option on a security screen before allowing plug-in installations. With SP2, Microsoft blocks ActiveX controls from running by default and flashes an explicit warning that unknown software can cause harm to a PC. Users who still want to install a plug-in must now take a series of complex steps to override the protection scheme.
The changes have alarmed some software vendors that depend on ActiveX and has aroused suspicion that Microsoft is using security imperatives to further its strategic ends.
"We are holding our breath waiting for it to fully deploy," said Alex St. John, who helped create Microsoft's DirectX graphics software during his tenure at the company from 1992 to 1997 and who now runs the WildTangent 3D games site. "Most likely what the user will do is be alarmed and confused by the SP2 warning and just cancel the whole thing. And a large percentage of people will not realize what happened in the first place...This destroys all business models associated with being able to play content in the browser."
Another vendor agreed that SP2 would disrupt the Web-based distribution of his 3D plug-in product.
"It's going to confuse end users," said Tony Parisi, founder of San Francisco-based Media Machines and co-creator of the VRML (Virtual Reality Modeling Language) and X3D (Extensible 3D) Web graphics specifications. "And I think this will hobble the independent software developers who have been using the Web and IE's great and relatively cheap way of distributing a product. I understand the security issues, but I think this is going to set the ISVs back," he said, referring to independent software vendors.
Years of gripes
The security issues aren't small. Microsoft's reining in of ActiveX follows years of complaints that the company and years of . Two and a half years ago, Bill Gates, Microsoft's co-founder and chief software architect, declared that security had become .
IE has long required users to verify they wanted an ActiveX control loaded. But pre-SP2, those warnings proved both spoofable by malicious hackers and ineffective through repetition and the ease of clicking through them.
"What we found was that most users were becoming accustomed to saying 'OK' and not reading the (ActiveX warning) dialog," said Doug Stamper, an IE group program manager who worked on SP2. "We made these changes in the ActiveX user experience because users were getting drive-by downloads."
At the heart of the changes is Microsoft's new "information bar," a thin strip just below the Web address bar that carries warning messages. To allay concerns that users might miss the information bar, SP2 pops up a dialogue box pointing it out every time, until the user checks a box asking it to go away for good.
Depending on what a Web site has attempted to do, the information bar flashes a variety of warnings. When a site tries to run an ActiveX control, the bar reads, "This site might require the following ActiveX control...Click here to install."
For some software downloads—the free RealPlayer, for example—the bar reads: "To help protect your security, Internet Explorer blocked this site from downloading files to your computer. Click here for options."
Microsoft said its research showed that the new system wasn't perfect, but that most people were able to navigate it.
"Our usability study and our engineering process suggest that this fared very well," Stamper said. "It wasn't 100 percent, but the vast majority understood its purpose."
The changes to ActiveX are by no means the only sources of potential problems thrown up SP2.
Microsoft and its partners have been expecting that its launch would result in a flood of calls to vendors. One study found that information systems managers feared it would turn out to be the .
In addition, computer makers are warning their customers to before downloading SP2 through Windows' automatic update software.
Strategy through security?
With the Net reeling from one Windows-related security crisis after another, one industry analyst defended Microsoft's restriction of ActiveX.
"This is one of those issues where Microsoft is damned if it does and damned if it doesn't," Peter O'Kelly, an analyst at the Burton Group said. "If there's a trade-off between fixing security for everyone versus inconveniencing some ISVs and some end-users, it's not going to be much of a choice."
Microsoft's critics have suggested that the company's security measures have been implemented in ways that bolster its own businesses at the expense of others.
St. John, for example, noted that by switching from common Web technologies to Microsoft's .Net framework and the C# programming language, he would be able to bypass the new ActiveX security protocol. Because many of his gamers are on dial-up connections, he says .Net's comparatively bulky download makes that a bad option.
"Maybe breaking ActiveX forces a look at .Net," St. John said. "And it's all done with the pretext of security."
Making ActiveX harder to use could have an adverse affect on several software titles that compete with Microsoft's technologies. These include Apple's QuickTime media player, RealNetworks' RealPlayer, Adobe Systems' Acrobat document reader, and Macromedia's Flash animation software and Flex application server software.
One provider of Flash-reliant software for creating Internet-based applications put the matter more plainly.
"Most of the Net's security problems are not related to ActiveX," said David Temkin, chief technology officer for Laszlo Systems in San Francisco. "Microsoft is using this as an opportunity to tighten its control over client technologies. That's not a good thing for Flex, for Real, for QuickTime, and on and on and on."
Microsoft dismissed the notion that it was using security as a strategic pretext.
"The changes we made were to the benefit of the customer, putting the maximum information in their hands so they have control and informed notice and can give informed consent," Stamper said. "We do not prevent (software vendors) from working."
Echoes of the past?
Microsoft's defense may ring a bell for those who have followed the rise of the Windows operating system.
In 1999, the company had to charges by operating system competitor Caldera that Microsoft had to arise with Caldera's DR-DOS software. Microsoft that case in 2000.
Today, Microsoft's critics point to two high-profile competitive struggles where SP2's ActiveX warning system could make an impact: media players and Internet-based productivity applications.
Because Windows Media Player comes preinstalled with Microsoft's operating system, it enjoys an immediate advantage over competitors such as RealPlayer and QuickTime. If Microsoft's new warnings scare off users from loading ActiveX controls, that could increase that advantage.
RealNetworks currently has an pending against Microsoft, in which it claims the Windows monopoly is limiting consumer choice in online media players.
Citing its antitrust case, RealNetworks declined to comment for this story.
Adobe, which increasingly , declined to comment on the potential vulnerability of its Acrobat document reader plug-in. Apple declined to be interviewed but said in a statement: "We've tested QuickTime running with Microsoft's SP2 update in Windows XP and have not seen any negative effects for plug-in based content."
Macromedia also sought to quell concern over its ability to distribute its Flash player through SP2, stressing that since the spring it had worked with Microsoft on the release to strike a balance between better security and ease of use.
Independent software companies that believe the present ActiveX warnings are bad should have seen the trial versions, said Kevin Lynch, Macromedia's chief software architect.
"Initially, the experience for end users installing ActiveX controls made it pretty difficult to get through that successfully," Lynch said. "The wording of the prompts was not very clear about what was being asked of the user, and it erred too much on the side of saying 'This will be dangerous to your machine.' But Microsoft was very responsive, and we got to the point where we're happy with the process."
Macromedia's relationship to Microsoft could be described as a textbook case of cooperative competition. On the cooperative side, Microsoft is largely responsible for the nearly ubiquitous distribution of Macromedia's Flash player, because it bundles version 5 of the software with Windows XP.
Macromedia Flash has the distinction of being the only third-party software packaged into SP2. That bundling means Windows folks will get an automatic upgrade to Flash 6 from Flash 5.
On the competitive side, Microsoft chose not to bundle Macromedia's latest player, Flash 7. That's what computer users need to run applications that work with Macromedia's Flex platform for Internet-based applications. The combination of the Flex server software and Flash 7 aims to provide exactly the kind of graphics-intensive, speedy Internet applications that Microsoft plans to offer with its update to Windows.
"Microsoft doesn't want to ship Flash 7," Burton analyst O'Kelly said. "I don't disagree with the speculation that Microsoft sees that as more competitive" than earlier versions of Flash, he added.
A Microsoft representative said the company chose Flash 6 over Flash 7 for technical and security reasons.
Macromedia said that Microsoft had originally cited concerns by the European Union over self-updating software as a strike against Flash 7. Microsoft later withdrew those concerns, Macromedia said.
Whatever Microsoft's motivations, the decision means people will have to leap ActiveX security hurdles if they use an SP2-loaded system to open a Web page that requires Flash 7.
Flash 7 adoption has made swift progress, Macromedia said. The company estimates that the software now sits on more than 66 percent of computers on the Internet in the United States and 81 percent in Europe.
Other software vendors remain anxious about life under the new security regime.
"It's exacerbated the plug-in problem," said Media Machines founder Parisi. "Just when my customers' clients are over the problem of handling plug-ins, they have a whole new hurdle they have to jump."
And while plug-in vendors brace for SP2, Laszlo Systems is preparing for worse things to come, aware that software developers who rely on Flash and ActiveX live by Microsoft's good graces.
"The real uncertainty around this isn't with SP2," said Temkin, the company's technology chief. "The real uncertainty is with Longhorn. Is Microsoft going to be bundling any version of Flash whatsoever? Will they make it difficult to access or scare people into not downloading it? Our approach is that some time before the shipment of Longhorn, our software will be made to work with the .Net client—which means that no installation of ActiveX will be necessary."