Microsoft Will Kill ActiveX Controls - If You Ask

By Larry Seltzer  |  Posted 2008-04-18 Print this article Print

The precedent is set, as Microsoft killed a Yahoo ActiveX control with its last round of updates. 

Microsoft's April Patch Day disclosed serious vulnerabilities and important patches to the operating system, but in the long term I think the most interesting one was MS08-023-Security Update of ActiveX Kill Bits.

This update addresses two vulnerabilities by setting three "kill bits" in the registry for those controls, disabling them. Two are Microsoft controls that suffered from a vulnerability disclosed in this report. The third is a third-party control, the Yahoo Music Jukebox. Until a February update to that product, it shipped with two buggy ActiveX controls. MS08-023 mops up afterward by making sure that the old, buggy code is disabled.

How many other such controls are out there? Consider all those crapware controls that were preloaded on your PC when you bought it. Secunia lists 335 security advisories that contain the word "ActiveX" in them.

Did you ever check with Hewlett-Packard or whomever to see if there were security updates for that notebook you bought? No? Did HP contact you about those updates? I didn't think so. As Secunia likes to point out now and then, the average PC has numerous old, vulnerable versions of programs, and the user may even be unaware of them.

Even though I've always thought that ActiveX controls get a lot of undeserved bad press, it's clear that they are worse in this regard than other types of programs. A badly designed and vulnerable ActiveX control is a welcome mat to hostile software on whatever Web site you are unfortunate enough to visit, and many vendors were downright stupid over the years in their development and deployment of ActiveX controls.

I think this is less of a problem with more recent systems and software, but there's a world of old, bad ActiveX controls out there, and the only practical way to get to them is through Windows Update. Few of them have automatic update facilities, and users are unlikely to check manually. Certainly, if Windows Update doesn't get to those systems then they're a lost cause anyway.

I'd like to think that Microsoft was listening to me when I wrote, a few months ago, that it should offer to use Windows Update to update third parties' applications. This is a comparatively primitive form of what I proposed, in that nothing is actually removed. But I like the idea, and I can relate to Microsoft wanting to start slow.

I asked Microsoft for a comment and got boilerplate ActiveX information, like what kill bits are. Yawn. But here are the links they sent me, in case they can be useful:

  • Disabling ActiveX controls in Internet Explorer
  • How to tell if ActiveX control vulnerabilities are exploitable in Internet Explorer
  • Helping ensure controls cannot be misused by other sites
  • Ensures users get the latest, safest version of their controls: Best Practices for ActiveX Updates
  • How to design secure ActiveX controls on several Web sites
  • But another publication got better answers out of Microsoft. Computerworld cites Tim Rains, a spokesman for the Microsoft Security Response Center (MSRC), as saying that Microsoft will kill-bit anyone's control if they ask. Just e-mail and tell them who you are and what you want to do. The policy is not new.

    Let's hope developers notice and take advantage of Microsoft's offer. I still hope that this is the begriming of a policy to use the broad reach of Windows Update to mitigate the mess of dirty third-party code out there using even more aggressive measures. There are definitely some big issues to work out-principally cost and liability-but it's in everyone's interest, including Microsoft's, for this to happen.

    Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

    For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.


    Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

    He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

    For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

    In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

    Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel