More ActiveX Restrictions
So whats the advantage of the native control? It means you can block all ActiveX controls and still do AJAX. Why would Microsoft do this? Do they think the XMLHTTPRequest object is unsafe? I dont think so. Im more inclined to believe that customers asked for it, and the company wants their customers to be happy and stick with IE, especially now that Firefox presents a credible alternative. But whatever the merits of their desire to do so, it means that some customers, important ones, want to avoid ActiveX, and Microsoft is willing to help them out. IE 7 goes further in the move away from ActiveX: A new feature (really more of a design mandate) called "ActiveX Opt-in" dictates that only a few, very popular and well-vetted controls (like Flash) will work at all in the default IE7 setup. All others will be disabled by default, even if they have been previously installed on the system. Pages that invoke these disabled controls will cause IE7 to show one of the now-familiar "information bars" at the top of the browser window, and the user will have to explicitly approve execution of the control.Opt-In is something that will affect many users, causing them to have to make security decisions and, no matter how hard Microsoft tries, roughing up the user experience. Put another way, it will discourage the use of ActiveX by developers and corporate IT; thats how I would see it if I were a developer or in IT. Ive already said that Microsoft has gone down this road because customers asked for it, and Im sure thats true, but there might be another reason: the Eolas patent. After losing rulings in a patent suit Microsoft was forced to make the process of invoking embedded content, such as ActiveX controls, more difficult. (The patent itself is famous nonsense, among the most obviously flawed youll ever see, but lawyers, it seems, can make up the rules as they go along.) Put another way, these changes will discourage the use of ActiveX by developers and corporate IT; thats how I would see them if I were a developer or in IT. What are the options? Obviously ActiveX served many legitimate, as well as illegitimate, purposes all these years. I see a series of answers, mostly resolving down to two approaches: AJAX-type interfaces will mitigate the need to resort to native code on the client, especially when combined with richer server-side code. Also, if enough of the few approved controls provide programming interfaces themselves, then developers who might have gone through ActiveX can use them as alternatives. The obvious ones are Java and Flash (and Sparkle?). Of course, this puts the security onus on the developers of those systems. Neither of them is perfect, and the same corporate types who are nudging Microsoft away from ActiveX probably frown on Java and Flash as well. This slow march away from ActiveX will probably tend to increase security generally because it will tend to make it harder for developers to get their code running on users systems, especially for native code on the client. This wont be as big a blow for security as some will think, but its a step forward, and its a further admission that default settings for Internet-facing programs should be restrictive. Thats the long-term destination for Windows. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.