Microsoft has published a white paper refuting claims made by Sun and, more specifically, by Sun CEO Scott McNealy, who did an "ActiveX demo" last week at JavaOne. Microsoft's response is interesting, and while I will leave it to you to read the whole thing, here are a couple of quotes:
"The reality is that this is not a security flaw in ActiveX. The exact same demonstration can be created with any programming language, and be written as a Netscape Navigator Plug-in, or as a Java applet with the next version of Java."
"What Mr. McNealy did not mention is that the author of \[the\] malicious \[ActiveX\] program may not be able to receive a license (digital certificate) to create and sell software in our industry because he violated the trust- based license agreement."
"The next version of Java proposes a trust-based security model similar to the ActiveX model that Microsoft has been shipping since August 1996. \[Sun\], too, realizes that developers cannot build useful applications within the constraints of their so-called 'secure' technology...Please don't just take our word for the fact that both Sun and Netscape are pursuing a trust-based security model. Check out the information on their own Web sites:
Read Sun's trust model
Now compare these with Microsoft's"
"At the JavaOne ActiveX demo, a key fact that Sun and subsequent press articles did not point out was that Mr. McNealy was given the option to NOT download the program and was warned by Internet Explorer of the risks of running programs from untrusted authors."
Well, OK. Clearly, Microsoft and Sun are involved in the deadly game of winning developer and consumer mindset. While I still think ActiveX has some pretty serious security issues, Microsoft is correct about Java heading toward an ActiveX-style security model, a point I've made in previous issues of WinInfo. It'd be interesting--and ironic--if Java was one day successful because of this very decision