What is the difference between activex and java

This has very dangerous implications. Because ActiveX controls have full access to client computers, they can cause secrecy, integrity, or necessity violations. Nuclear Weapons. Netscape Analysis Report. Of all different kinds of cancer skin cancer is one of the most common. Business strive for high production at low cost This would result in t. Java JavaScript and ActiveX. Java Applet Security Problems. Security On The Web.

Thesis Government Censorship would damage the atmosphere of the freedo. Chances are anyone who is reading this paper has at one time at least. Searching the Internet. Censorship and the Internet. Internet Concepts. The Internet has brought mixed blessings to the people who use it It i. An Introduction to the Active Platform. This paper does not consider the integration between Java and COM in Microsoft's virtual machine, and whether this integration has its own design flaws.

ActiveX defines a way to mark controls that take data from their environment, in an attempt to prevent trusted controls from being exploited by untrusted code. Each control can optionally be marked as "safe for scripting", which means that it is intended to be safe to make arbitrary calls to the control from a scripting language. It can also optionally be marked as "safe for initialisation", which means that it is intended to be safe to specify arbitrary parameters when the control is initialised.

These markings reflect the opinion of the control's author, which may be incorrect. Case study: IntraApp IntraApp is an ActiveX control written by a small independent software company, and signed by its author using a Verisign Individual Software Publisher's certificate. This control had a fully functional demonstration version available on Microsoft's "ActiveX gallery" for several months. As its name suggests, it is intended to be used on intranets, rather than the Internet. The purpose of this control is to allow the user to run arbitrary programs on the client machine, by selecting an icon on a web page, and clicking a "Run" button.

The list of programs that can be run is stored in a configuration file, which is specified as an URL in a parameter to the control, i. In fact, the whole control is highly configurable; the icons, the caption for each program, and the caption on the "Run" button are set using the same configuration file. As mentioned earlier, ActiveX does not attempt to authenticate the web page on which a control is placed.

It is very easy to implement a third party attack using IntraApp, by writing a configuration file which displays a harmless-looking icon and captions, and runs a batch file or other program supplied by the attacker when the "Run" button is clicked. The IntraApp control is tagged as "safe for initialisation". That is, it is possible to specify its parameters on the web page that calls it, without the user being warned. At least one version was also marked as safe for scripting, although this is not needed to use the control maliciously.

I contacted IntraApp's author in private e-mail, and established that: there was no deliberate intent to write a hostile control the author did not take into account the possibility of the configuration file being written by an attacker the author had a different idea of what signing meant than the intended one.

To him, a signature implied authorship, not responsibility. The IntraApp control is insecure despite working exactly as designed. Controls may also be insecure because they have bugs that can be exploited by an attacker. A common type of programming error for programs written in these languages, is to copy a variable-length string into a fixed-length array that is too short a "buffer overflow" bug.

Many security attacks against network servers, and privileged Unix programs have exploited this type of error in the past the most famous example being the Internet Worm of Several of the controls displayed in the ActiveX gallery signed by well-respected companies, including Microsoft had overflow bugs that caused them to crash when passed long parameter strings. This does not in itself mean that the controls are exploitable, but it indicates that they were programmed without particular attention to avoiding overflow.

It is likely that this also means that more complicated security issues have also not been addressed, since overflow bugs are among the simplest security bugs to correct. At the time of writing of this paper, a more extensive search for exploitable controls has not been done. How significant this type of attack is to the security of ActiveX depends on other factors.

For example: for how long is an exploitable control a problem? Unfortunately, in the case of ActiveX the answers to these questions are about as bad as they could be: early versions of ActiveX would always display a warning instead of the certificate, if the date of installation on the user's machine is after the certificate expiration date typically certificates are valid for a year. In recent versions a timestamping feature has been added, that allows the signer to create signatures that will be valid indefinitely.

In this case only the date of signing is checked, not the date of installation. The IntraApp signature has since expired, but if a similar problem occurred for a timestamped control, the signature would never expire. Developers are encouraged by Microsoft to timestamp their signatures. In Internet Explorer 4. Revoking a certificate would in any case be a poor solution to a bug in a single control version, because it means that every other control signed by the same principal would have to be re-signed.

It is also possible to search for ActiveX controls and store them, so that security bugs can be tested for and possibly exploited later. There is no way to specify that a control is only to be used in a particular intranet; once it has been signed, it can be used anywhere.

This is done by specifying a high version number in the HTML page, to make sure that the control to be downloaded initially appears to be later than any cached control. There is no way for the user to reliably distinguish a legitimate use of a control from an attempted third party attack.

The combined effect of these answers is to magnify the seriousness of simple mistakes by control writers. Unlike a browser implementation bug, where there is always an opportunity to fix the browser in its next version, there is very little that anyone the browser vendor, the writer or signer of the control, the certification authority, or the end-user can do about a control that is being exploited.

The issue of migrating existing OCXes and programming staffs into the intranet may be the defining one. Most companies have a tremendous sunk cost in existing business logic and overworked programming staffs.

Reusing existing logic and programmers may well make ActiveX a standard behind the firewall. Business logic must execute somewhere. When it must execute across both clients and servers, Java has the edge.

Java has the best hope of providing true platform-independent computing. On the server, in particular, Java has a real opportunity to shine. As JDBC database connectivity becomes prevalent, as Java finds its way onto virtually every computer architecture and operating system, and as better development tools find their way to market, Java will have removed all technical obstacles from its path to becoming the king of serverdom.

No matter how successful Microsoft is in making ActiveX an industry standard, it does not have the potential to be a major player on non-Wintel servers.

Windows NT is rapidly making inroads into the market for corporate servers. Unless and until ActiveX becomes a cross-platform standard, it will always have a problem in dominating the intranet. Java is a winner in the Internet, where heterogeneous computing is mandatory.

Both Java and ActiveX have major advantages in the intranet. The next several years will see many ups and downs for both technologies.

Market share will be as important as technology in determining the victor. Only Netscape's 40 million browsers have a chance of competing with Microsoft's enormous installed base. It's still too close to make a call in the intranet. If Java wins, the most important reason will be this: The best, most portable, most heterogeneous ActiveX component in the world is a Java applet.

Here are the latest Insider stories. More Insider Sign Out. Sign In Register. Email Address. All Sign in options. Enter a Email Address. Choose your interests Get the latest news, expert insights and market research, sent straight to your inbox.

Newsletter Topics Select minimum 1 topic. Tags: JavaScript. Anonymous July 22, 0 Comments. Any advice is appreciated! Let me count the reasons: 1. Anonymous Posted August 14, 0 Comments. Register or Login.