The Exploder Control Frequently Asked Questions (FAQ)

January 30th, 1997

Updated Febuary 7th, 1997

Fred McLain

I've put together this page in response to the many questions e-mailed to me about the Exploder ActiveX control. All that is said on this site is simply my opinion. Trademarks on these pages are the property of their respective owners. I make no claim of ownership of any of these trademarks. I make no claim of accuracy of any of this information. Please don't sue me, I'm only trying to help.

The main Exploder page is at:

http://www.halcyon.com/mclain/ActiveX

Q: What does Exploder do?

A: Exploder performs a clean shutdown of Windows 95 from a web page. On "Green Machines", particularly those with a power conservative BIOS, (mostly laptop computers) it also turns the power off after shutdown. For the technical folks out there, this is a call to the windows API function ExitWindowsEx() with the flags EWX_SHUTDOWN and EWX_POWEROFF set. For the less technical, it's the same thing as the "Shut Down" menu item on the "Start" button, but with the power off feature added.

Q: Is Exploder dangerous?

A: Not in itself. Exploder is a demonstration that ActiveX can be dangerous. It is possible that a misguided person might misuse Exploder in some way that would produce an unwanted shutdown of a person's PC by placing it in an unexpected location on a web site, but it's also possible to misuse just about anything. As Microsoft is fond of saying, "If you run with scissors, you might get hurt".

Q: Why Exploder?

A: I've been running BBS's for many years. During that time, whenever something dangerous became available for download somewhere, I felt it was my responsibility to warn the BBS users. Well, I don't do much with BBS systems since the web came along, but that hasn't changed how I feel about warning people. I believe ActiveX can be very, very dangerous. Exploder was written as an illustration of that danger.

Q: Why was Exploder removed from your web pages?

A: Rumor out of the Microsoft campus in Redmond (I live 20 minutes from there) was that the 800 pound gorilla that is Microsoft was going to make an example of me. The day after I heard about this, I got a call from VeriSign, the company that holds the code signing certificates for controls developed with Microsoft's ActiveX technology. It wasn't a casual call, but rather a teleconference call with two vice presidents and a product line manager. I felt forced to find a lawyer at my own expense. Simon Garfinkel (a very good reporter) put it best on his Packet web site: "McLain then got spooked by his lawyers, which is why he took the Exploder control off his Web site." My lawyer told me after one of these calls that what was likely to happen was a law suit against me, probably on the east coast, a restraining order and seizure of my equipment, all within the next 4 hours! My lawyer told me the best I could do is to file suit first, but the legal defense would still cost me in excess of $100,000.00. I also have a life. At the time all this was coming down I was in the process of preparing my home for my wife to be and her two children to move in. The chaos was too much for me, and I felt I'd already said what I had to say. At that time I had spent one day writing Exploder, and two weeks talking with lawyers. I do not feel good about being pressured into removing Exploder, but what would you do under the same circumstances?

Q: Why is ActiveX dangerous?

A: This is where I can still get into legal trouble. Let me preface this again with "All that is said on this site is simply my opinion". So, in my opinion, ActiveX is a danger. It's dangerous because of the basic nature of ActiveX, not because of a simple bug here and there. ActiveX is the same thing as OLE. Microsoft has repeatedly stated that ActiveX is OLE renamed. ActiveX/OLE is simply a Microsoft Windows software component. What does that mean? Well, it means an ActiveX control is essentially a Windows program that can be distributed from a web page. These controls can do literally anything a Windows program can do. That means you could write an ActiveX control to erase a hard drive. A control containing a virus or trojan can be written, distributed, and activated from a web page, and the viewer of the control might never know. A control could even scan your drive for tax records or documents the control's author was interested in, and e-mail them off to some other person. All this can be done in a control that pretends to be something interesting, like a video game.

If you watch what happens in Internet Explorer 3 when a page with an ActiveX control on it is hit, it's quite interesting. First of all, you see a download happen. Then a scary dialog box asking you if you want to download the control appears. Most people ignore the text at this point, and hit OK. Assuming you've told the machine that signed controls are OK, or press the OK on the pretty green certificate dialog, the control then activates. In the case of Exploder, the 10 second shutdown countdown happens next. In the case of a malicious control, any nasty thing could happen instead.

Q: Doesn't Code Signing and Microsoft's AuthentiCode technology prevent people from distributing malicious ActiveX controls?

A: No. Code Signing simply attempts to identify who signed the control. Anyone can go out and get a code signature. It's a pretty much automatic process. You go to a web site, give them a name, address, credit card number and some other stuff (none of which have to be yours), click "I Agree" on a page full of legal jargon, and pretty soon you get an e-mail with the information you need to sign the control in it. Once you have your Digital ID, you can sign any unsigned ActiveX control. Nobody reviews these controls! In other words, a signature doesn't tell you who wrote the control and it doesn't tell you if the control is safe or not. Heck, with the number of hot credit card numbers out on the net, it doesn't even tell you for sure who signed it. A danger is that seeing that a control is signed will give folks a warm fuzzy feeling about the control, and encourage them to run it, even though it does not guarantee their safety!

Q: Aren't signed ActiveX controls safer than downloading software packages?

A: No again. When you download a software package, you choose to go to the software publisher's site. You then choose to download the package. After it's on your machine, it doesn't run until after you choose to install it and run it. You don't get these choices with ActiveX, signed or unsigned. You can even run a virus scanner on a downloaded software package before you install it. You don't have a chance to do that with ActiveX before running the control. With ActiveX the control pops off the web page, gives you the same old scary dialog you've seen every time you download one of these things, and it simply runs at that point! You don't choose where it came from. In fact, if you've told Internet Explorer that signed controls are OK, you don't even see the scary dialog. Back in the BBS era, and on better FTP sites things were different. We (BBS operators) would not allow folks to download unknown files. We would take the file contributed to the BBS (usually in a separate directory called "Upload"), run it on a separate machine and see if anything harmful happened. If all was OK, and there were no rumors of a danger with it, we would then, and only then, make it available for download. No one checks ActiveX controls before they are made ready for download. Therein is the most dangerous aspect of ActiveX.

Q: Fred, aren't you just doing this because you're anti-Microsoft?

A: That's what the folks in Redmond say every time you point out a fault in their products. I'm not anti-Microsoft in particular. I'm not for any software company that puts out a poor quality product. I'm especially unhappy with companies that put out products that may lead to serious harm to the users. Enough said?

Q: Fred, do you work for Microsoft, Sun, or Netscape?

A: No I don't. There have been interesting overtures from one of these companies since I wrote Exploder, but to date I've never done any work, or accepted any money from any of them. I also have not made any money off of Exploder in any way.

Q: OK, you've complained about ActiveX enough. What are you doing about it?

A: Well, I wrote Exploder. I've told my tale to many reporters who have called. I didn't try to contact any of these folks myself, they all called me first. I've also made several recommendations to the folks in charge at Microsoft, although their only response was to change the user interface on Internet Explorer so that unsigned controls can not be downloaded unless you set the security level to medium (the default is now high, it was medium on the beta release). I also contacted a person in charge of security concerns with ActiveX at Microsoft, and offered my services to help identify what needed to be fixed. After a month or so, he called me back and said that the team they were going to put together for finding security holes there was canceled because of a lack of interest at Microsoft.

Q: Can ActiveX be fixed?

A: For quite a while my answer to this was no. After all, you can't make a silk purse out of a sow's ear. After thinking about it some more, with quite a bit of work perhaps it could be fixed. If Microsoft ran ActiveX controls in what they term as a "Sandbox", one could prevent disk writes, and other dangerous actions from taking place. I find it very unlikely that Microsoft will do this.

Q: Exploder is currently an unsigned control, what's up and how do I use it?

I've been in an ongoing discussion of what Exploder does with VeriSign for many months now. Until things are resolved there my lawyer tells me it's best to not sign the control myself. To use Exploder you can sign it yourself (see below), or set your security level to medium in Internet Explorer. Here's how you set the security level:

  1. Click on the View menu
  2. Click on the Options menu item
  3. Click on the Security tab
  4. Click on the Safety level button
  5. Click on the Medium radio button
  6. Click OK twice

Once this is done you'll have the option of downloading and using unsigned controls in Internet Explorer. You may want to set the security level back to high after viewing my control. On recent versions of IE I've had trouble getting unsigned controls to work at any security level. This is a difficult thing to debug, I'm unsure of the exact cause of these problems. There may be a bug in the current releases of IE that affects unsigned controls.

Q: I want to use Exploder on my web page, what do I do?

A: First of all, please do not do anything illegal, immoral, or nasty with Exploder. Please do not violate any agreement you might make with VeriSign in the process of getting your Digital ID. I am not encouraging people to use Exploder, but I've gotten so many requests for information on how to use it I feel compelled to answer the question here. So, that having been said, here's what you could do if you wanted to use Exploder on your web pages. First download the source package for Exploder. In there you'll find the Exploder.ocx file after you install the source. Feel free to run a virus scan first, in case all this makes you nervous. Go get your own code signature, and sign the control. You have my permission to use the control and web pages associated with it as long as you do not try to hurt anyone with it. Sign the control, and follow my directions for putting it up on your site. Try it out, it should work just fine.

To download the source package go to http://www.halcyon.com/mclain/ActiveX/Exploder/Exploder1b3.exe.

To get your own Digital ID go to http://digitalid.verisign.com/codesign.htm.

To find out how to sign a control go to http://www.microsoft.com/INTDEV/SECURITY/AUTHCODE/SIXSTEPS.HTM.

To find out how to place the Exploder control on a page go to http://www.halcyon.com/mclain/ActiveX/welcome.html#using.

Q: It seems like you should get something out of this, what can I do to help?

A: You could hire our company to write software for you. Apropos excels in writing C++/MFC, ActiveX, Java, CGI and Unix software. Take a look at who we are at http://www.accessone.com/apropos.


Copyright © 1997, Fred McLain

mclain@halcyon.com

http://www.halcyon.com/mclain