IE Flaws Should Come as No Surprise

By Peter Coffee  |  Posted 2004-07-12 Print this article Print

Developers have been warned about the risks of IE, and specifically of ActiveX.

Far too much of whats on the Web is only tested for use with Internet Explorer, with only casual interest in fixing any problems that might arise with other tools. I find these IE-specific sites when my usual browser, Mozilla, or my backup browser, Opera, arent able to load a page. When that happens, if I really and truly need that content, Ill fire up IE. More often than not, though, Ill find what I want somewhere else. As more users start using non-IE browsers as their preferred means of Internet access, I hope that sites will discover that their casual attitude toward content delivery is too costly to retain.
No one should get away with saying that the risks of IE, and specifically of ActiveX, caught them by surprise. In 1997, Microsofts Charles Fitzgerald told a group of Web application developers that if they wanted security on the Internet, they could unplug their computers. "We never made the claim up front that ActiveX is intrinsically secure," said Fitzgerald, then program manager of Microsofts Java team.
Lest anyone think that Fitzgerald was stating a rogue position, it was in that same year that Cornelius Willis, Microsoft group product manager for Internet platforms, gave the justly infamous warning, "We are concerned that users understand that all executable content on the Internet is potentially dangerous … The basic message here is: dont take candy from strangers." I suppose that "potentially dangerous" is sort of an average between "conceivably dangerous"—for example, an obscure implementation flaw in Java—and "intrinsically dangerous," the label that I unhesitatingly apply to ActiveX. If 1997 seems too much like ancient history, we can always take a shorter trip in the Wayback Machine to this past September, when we learned that ActiveX controls with known security problems could readily be reinstalled on a users machine if that user was rash enough to trust content signed by Microsoft Corporation. As I added upon learning of this problem, "the system not only comes out of the box unsafe, it almost appears designed to ensure that it stays that way." With all of this as background, pardon me if Im more exasperated than sympathetic with anyone whos finding it inconvenient to eschew all use of ActiveX. Im not completely lacking in sympathy: I know that I have to fight a constant battle for design and delivery of Web content based on standards, preferably on the common subsets of standards that are well supported by all reputable browsers. But I do manage to get through most weeks without telling Norton Internet Security to let pass even a single ActiveX control to load on my machine. The only exceptions are specific services like some of the Web conferencing platforms used by many vendors to give me product demonstrations; I dont approve, but Im willing to tolerate these special cases. Microsoft has taken the position that any recent version of Windows including Internet Explorer is "a single, integrated product." Well and good. When there are things that I want to do on Windows that need the IE piece of Windows, accessing known resources from trusted parties via Internet connections, Ill do them if Im sure I can do them safely. But when I want to use the Web—that is, the standards-based platform on which I can use a variety of content and engage in secure transactions with previously unknown parties—Ill use an application designed for that purpose. And that, it appears, does not mean IE. Technology Editor Peter Coffee can be reached at To read more Peter Coffee, subscribe to eWEEK magazine. Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page

Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel