Saturday, July 20, 2013

Microsoft's Active-X is a black hole in South Korea's cyber security

For quite a few years now, I've been happily using Skype, including the paid Skype-out service which allows low cost calling directly to telephones anywhere in the world using the service.  A few weeks ago I logged on to add another $25 to my Skype-out account, only to find to my astonishment that the service had disappeared!   Instead I was directed to a new web page hosted by the Daesung Group that described a new set of services and calling rates and instructed me to download an ActiveX control in order to purchase Skype credits!   Of course, that would have meant installing Microsoft's Internet Explorer browser, which I abandoned years ago in favor of the faster, safer and more efficient Chrome browser.
I tell this story only to illustrate a much larger problem, as reported today in The Korea Herald.  Continued widespread use of Microsoft's ActiveX control in Korea creates a massive security problem.  As the accompanying graphic shows, (click to see a full sized version) there have been a series of massive leaks of personal information over the past five years.  This issue is so important that I'm going to include a lengthy quote from the newspaper article below.   

"Many Korean websites depend on Internet Explorer’s cumbersome “ActiveX” platform, posing another risk factor. KAIST professor Lee Min-hwa said, “ActiveX is a program that momentarily disarms the computer to download codes from an outside source, which can be abused by hackers seeking to plant malicious codes.” Lee, one of the key patrons of President Park Geun-hye’s signature science and technology-based “creative economy,” said that Korea’s dependence on the ActiveX-based public key certificate system created a “black hole” in cyber security. The public key certificate is a type of digital document that enables online transactions. Korea’s online regulations require that certificates should be issued for any transaction worth more than 300,000 won ($268), and the issuance also requires a download of proprietary software on Internet Explorer via ActiveX. The mechanism, introduced in the late 1990s, is intended chiefly for South Korean citizens who use Microsoft Internet Explorer. Other Web browsers, such as Google’s Chrome, do not support ActiveX, and the whole system means foreigners often find it virtually impossible to purchase items on Korean websites. The mix of ActiveX and the key certificate system was originally designed to protect personal data, but experts say it is now making computers in Korea more susceptible to cyber attacks and identity theft."

No comments:

Post a Comment