Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


The Lame Blame of ActiveX



 By: Larry Seltzer
2005-04-14
Article Rating:starstarstarstarstar / 14


There are 4 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: ActiveX gets a bad rap as the cause of all of Internet Explorer's security woes. But it's just not so.

For the thousandth time I have just seen a mainstream media tech writer tell users that "ActiveX controls [are] the prime conduit hackers use to subvert computers" and that users can make their browsing safer by disabling ActiveX.

Old myths die hard! Theres no doubt that Internet Explorer has more than its fair share of security holes, but very few of them have to do with ActiveX. Seriously, of the perhaps hundreds of vulnerabilities of any import reported in Internet Explorer over the years, I bet you could count on two hands the number related to ActiveX.

As with programs that have nothing to do with ActiveX, the really serious bugs in Internet Explorer have been due to insufficient input validation between security zones or traditional buffer overflows. These are the staples of the vulnerability research business, and Mozilla and Firefox—and lets not forget Opera—have had their share of these, too.

Lets review: What exactly is ActiveX and what does it do thats supposedly so dangerous? ActiveX controls are packages of code that can run in the context of the browser. They are installable through a link on a Web page. Exactly how different is this from having a link to an executable file that you have to explicitly run? Essentially not at all, except that the ActiveX version is more convenient. Even with Firefox you can download and run an executable file. Does this make Firefox unsafe? In fact, Mozilla and Firefoxs support for XPCOM, a plain text and platform-independent software model, is very comparable to ActiveX once you get the user to click "Yes."

Resource Library:

The complaint against ActiveX has always centered around the ability to install native code from across the Internet, but this is less unusual than it seems, and ActiveX arguably makes things more secure. When you encounter an object tag referencing a control that you do not have installed, you then have the opportunity to install it. Under the default security settings, you will be warned before this happens and given an opportunity to approve or reject the installation. Theres more.

From the very beginning, ActiveX has supported digital signatures of the code, and the user gets a chance to inspect the signature. The point of the signature is not to prove that the program is safe or honest, but that the authors of the program are who they claim to be. In a way this has been a failure because it needs to be easier to follow all the signature information provided by ActiveX to understand exactly what it proves. But the information is there for whoever wants to confirm it.

There has been some controversy over misleading names of adware companies provided in signatures. This is an interesting stress case for digital signatures, but the important point here is that its not the reason people say ActiveX is unsafe.

A better example is a small number of cases where legitimate ActiveX controls from Microsoft and third parties were marked as "safe for scripting" (a programming term meaning that other programs can use them in scripting applications) even though these controls performed potentially dangerous operations and their access should have been restricted. Perhaps there have been more of these than has been publicized, but theres no actual evidence of it.

While there has been a striking lack of actual evidence that ActiveX is unsafe, there has been no shortage of baseless assertions and cheap shots against it. My favorite was the "Internet Exploder" incident in which Sun actually paid someone to write a malicious ActiveX control. I was there at JavaOne when they demonstrated it (I think it was 1997). The test system brought up all the warning dialogs about the program that you usually get and the Sun employee actually had the nerve to keep whacking on the enter key quickly so they would close as quickly as possible and didnt mention that there were any such warnings. Meanwhile, they also didnt mention that a signed Java applet could also perform dangerous privileged operations and would provide similar warnings. Most ActiveX criticism is simply uninformed, but this example was hypocritical and dishonest.

Ive been following this stuff for a long, long time, much longer than Ive been writing specifically about security. From the time it was announced as part of Internet Explorer 3, ActiveX has been controversial. At the time it was (ridiculously) contrasted with Java applets. Of course, Java applets are just a funny story from the history of computers now, but ActiveX is still around and for good reason: Its very useful when used with care, and its no more dangerous than any other type of program you run on your computer.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: The Lame Blame of ActiveX
>>> Post your comment now!
A user comment on this article
Who the fuck are you, posting a fucking keylogger? Some fucking ass hole I'd wager. So go fuck off...
Posted At: 06-26-09
By: Anonymous
A user comment on this article
I know no one who hits "DON'T SHOW THIS WARNING" on ActiveX, but it sounds like you would. In fact there's probably alot of dumb decisions you'd make...
Posted At: 06-12-09
By: Anonymous
correction
correction http://dewasoft.com/OCX/KeyLog/KeyLogAX.html :lol:
Posted At: 03-03-08
By: same
hypocritical and dishonest
Look, the article is correct in asserting that Java applications could be just as powerful as an ActiveX code implemented from the browser, however...
Posted At: 03-03-08
By: philosopher3000
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r6*(w=(RG-ymy-8U*$%)Js} _$3qΙIlK@7F{{~$rhiɥc,J1{>D{{}.ІP`S sѩe軫F]̱]kkH|Nშ :':@.Ps< j99ԗoˏ~e0-ڶAQ6)֐j 9a?[$)qD h] X(>߱L㘄-: ;|w*UN8Spycf_ž0Hz5EhD#|x\'{d #B=Vya/ w-m~DM-G ؓ ۭBx1BP#"FτwGA%;qؓIuhl5D`iR13<LeC1k;T*R*65-晚u@|͖|#XulAzf@dnQ/*! lpq+x'C]tQV_սkYoAסߍ=gfGdYo&A.wQMv TmO |l ͟P>AuӱCģzr$˚7hewynJ| bT9,╇i΃oĩq3}۷?ڻ(TU-/{W ? n04h;\CryMS! eUS ^_wD_"0QYTi|/ Z@ WP uN.kzQҏZ-[KEKXOr ])2,R8Df9O-Ҿoo:6OOn:3do̲5<jUU* j vb!?ޛ:W۳5mս푳 i?uN=d#t:+?fV'_Z-կz O|iuHZz>540V+JJ=2iuLxE$Y-r"//!}O}fr*GrI/o,oG$cM|Ap6 2Tc]vjGo__ ZP G/<@#D53SfMs,egy0AM)61t9k 3!RBʼZ(IK _VPB5)\Dh+ԌTwPH7#DD vxr!DKI88c^IRYE1\ni>U<8vwެ.Uմ޹-~iKsqiH{vІ)WC EhYf7-vIQMm{QVc1x2,ՎKbP)b(7Z`Lm,5,Ltͬ Y0`贎;mJ{ϧ0gPP? M/6}@˥qn>1 @ Lna 8V83 4Cuәݰ=Wԇ9[ϩ`IE 6]LRml;>tHhS0<xw0ܛ[S衟#]ѽ[:?`= 0.Z- Be^~m¢8ѵO>ȁ{4`sDokiiC1).%w2J}cn.G))$C]HPw9J B!\0HV0(VF􎄰r)ilry g r\B;7 ˥=*%nqR%a 934YIjL=?꺾j1!G,D`v9J,L.Y ϴjԭeRp|:IoB{42u0sҺW "Cɣ($me6L?InPy{8`O>7l{`(`RTȅj#SV+a5sV@@@7h ,قriz6<:NX%鹞`ۉm0TNϣ(a!w1 ZJkX"L U)=t%\42.|O V,'0{sgбSabia;k/ US_HQ6nm V!҇D+ه0`L E5_GN6R^)#{0iTWʅĤ'I?րH{A2,exY΁5mIr 'jY$ Ei.24Y$p0zxp8 _0t.rȵ6gs|eLZմlxTa<,I+$#v+TNJ R0=f^9/즮?!jאj8z}0dݤS,Hɘ-qVCYw7ZAU[Mޝ쮫F'F `(0f4gӢRxs޽e=UN_)"ڟskd豸6] QB|z0b&^W TuP=ښuZu^,]hD1(dyD4@/q8bk lbk}tq@l#RqM݌5m"uy@VIJXhQ{_4MOOШ6>37}&mno^{xS˙yrN?dZIp|]avKrekH˷"gfjsItLe``lAqHl\K ~'U`9L86rR)Yd {259p\Semi{}OA-a,0r&]☺|l'Ge7UEldb 8)LUKj{[ S/0ւBMAh|?|{AcEiܨxkc(OU?FRnTRXUʅϢ CJNpimEB%3J-ܛ`@O|GO]T0%ezIMqza/;CnK-%. ^ذ:Zk.ܒ(t]4f1secfaI3N9`{IO$# 3##fCENIjVڳ$t`1۳<%8tpL\'eM=J皽6D= ϟݜ;s`>L;J@ r;~O;a>&rikS@JڣR> GYdI.|akJZ<]q,g$ ,$(e,zF<C U8qm oRٟ8sɖBz%EDOCVngX&Պ 6ǟM1yGV{"}QLXޟUv٩kcyó&m!'LGޏcN~D*>^e2`^=G}#^^ab>&·~&`}ǽ/5.šJV#R>&MUK\6?pC-Y2}e'A)pQ ?JfWKfչ w᳋Y? `yBn߽p.7:WKߧ݋ ?wL.:Wm)^{-y0WFԼ|:b9P*aݼ @>m48Z&ID)t_6Q}A5q޴7Y0z!B3ZKUe z EE׏ע!4|㿜YA$ !rz 0xc`sAZ~jiԎ8%4 \ "{-~=prr(SJ%Q'i&.j5Kbģ)s/RJ<:?fdc: M"I^QԼڭUdE)IW=ۋNG'S~`qx-,0eROӝ^^''\/_z?:n7#BJ\ːIHALð`x0"yԣ>6q-O592 pg UX8#b\l',]#CwG3M-=7D`pt ;ƪ$жL`v&@n3Fe xƏ>~c/ 9RsH`3'=<fd^Stne4r.D#7^R.w?@ysRbZp ^o=:+v9;)5zzYp8ڲJ`,OY,c8~L(mi'1c;,q ]Yk60 .b" uC<[1䌶X8Mymz(E]1(l oGW?eFySOngUXT0f~dڰbndoSR(`@ GA~鰮*6Mb& [x5SLև^f}.wI.Id~|C^2kl6xٳ֗Z` mJAL5iYU U7 ʯf3hνco P؟5?}?r闺U0:[ٷ8-,XE̫״d=IiF -{8R[xv1L@1+ƽ51^jgi=w݃vOesF`G/~xP8Pk}-3Ӫ=B(Kll>QiH :-FRﯕz}"p?C* O2+OY"l Kqìfo!_`n3۵y+1q+'(Ga((u@OaRM:'wO "E f'x8n t {{[=׸$O-"=d+=.{9-(l*2n?̭DX(t^qPVb!;MT#|HAw__Yя TeQO^t9fݨB*`w$0-cWF؇Bj !/D/~aI{Ņ"&$%9QmEMu&^ kat "blRK'p. IˋL KIbKfRlt[KY6qNfAfQȢiÄ\1^֧V j~zz_ZbiE.c 2u5WHk̘x-e4vlNz yԥBMQE׻TChRfxku llN󼦘!Vy <7LQ azfS;Xifryb+n'-浻3x"(ͪNDf`hi*{ >9#nHt%8 " @`m 4,\ 0.\πTnA4`C"{`R%<8h;{XcX(+J Pc0]#+5PUk%r\PWCX2Q^tiiec>Hy)ހyJ Ys4x kHу%O:}7Q&Z:<}Q-Dr1&18ߒ|}P.[}1W5nᮥq^6jW4I v4ݥDm+i!GS^o|s+ƈ\eaHp=SQ-=.Șh MQ VHxDirtvnOKZ&9a k(E$TۈX )S6<05L[flFLNWDaB KmDSs%zH"V|8snj9dYxh3c9`ʅҩ0>]wq{&+[!5l:0 0kYK7`C'[B@ g>򽉡0u3[r3RC´vx~T+mB<䱤Pl <'<,=MO_zwb꾌@h),f,])B9|Ե>|Έ.'+J9qF<>ŋLAguU_l VH+^@03%bk`fڟh`Y4MMzOz7~{EN[<(m[8Z?N9>v?u7~qf[v>J5%ۼV6ideAήmf(T{=\h^Epɂw]%;飱8/ĩ3?NbD(/* F8BfuljŵN_LǗ%n\Ow>>^IV CrXmn8~(hOu{itڹFhR `Nj_׌(Y_~NmfwQ__P~ sA?/?VieC:CL*Ͻ\^Fg(_dٮq1>e2 >2@ \_^f%e^e ?eCyF?P~Q{1W ?Wsw1~]7]? /q _gs?=eg_(e}G௏ ?e~2A[(*[h6[ Ku1Ay3CΚ׸pz~;9(/'Rz UKC(gg  ~2:Εb +@^W~ kJ+ťW 7YKxUy%k{Z1nvd}חG{1*,xW&^>&c˼XH{R}tEI>t+i@Lw<-cENZ9.~QJxdB$h{U2̱h#{"Ե0ZߛQǒGЬ]#=D~(se&o3?`jE@' @9\pm{yɛr%>|#r75ilŭhg?>/ydֺWWVF+p'k͠~%s"iN^hlգ{h9ıiSr O?g)b|3SeRL .LESzq;$8),_bY\YYf~ǭd<@T6?rсwr$yH-}Iߩ\#u{ĪnD}GQ!rE>D o p1Q.`:}ꁴx3#i^jI|M̸&$c a3 ӮߝW' U?틷@$YLAŊr2FW7BIx}1ld@(we6Lm (~%.,wj93/htg)gxp1kN϶{3]95uWuu7Lђ_'/TB# ,tB5] O؅2}c KId~1'~#pIi/ 0{IB m`Z(>/~y _쑥Y@;osқ`&#0qcOit} >x*8" "kH "s{B|%ijP%n3!馃%؉G'c߱iB .~W, {+2‡_i vE݉cE\c̈́x{pcläd |A«U/=׆"2cX =O@tZwkdY9Hr&zU h$7=j"6: gK“J'Ңr\鱻$0\d~\g;Tlv[E`'/2^;'kp|"ϷϒezLU"zʴvDl3%Yz'Io=Gmk_VeńK!z>w. ?!#R.ܐOߦ "`A]|eD$ug EϩfC>X읙6^&ɿعKӘ2J1А8v2COA#t Oe[ |kc'p'!MX0 <ձ]w O`7G /)ixE1C2z l|$_Oxƪ~Saxr=&gsx m-IS`ioAs^nT "+1<&`#]&\f\jџL.ѮBTnbbqY;g;kMlB pQ*Ԯ^g͜ ŧSW<2JP'jdV@8̝ -ӟ~H׶I _[0~OX+ʕbA,\n2?>Şi#|@ =(ۉnFTt %`GYU`kv?8utvKѪ v7"60ޏYwPRl@ xS a \bXeܔ1uF.E]khT[_ )** 9/ߵ3pݼ®"vyXA\gXIڙBX<ٰ޳s+o=Љe{0^ζp2$82epCikZK 0Dq] XǢȖWqTR:!; /D?8 ciL;fcXJ ,oԛŒ'TS*4.v>ϽϯxDh\NwLtxV$L+DvdzU Z-^cdX$֬=LE")s1Gg-zk|FXKҳ m0q,r?],MclRc9bfW`0MZ.<'ȳ(`,Lv"VKjMΡmjpR!efƲ 7cP.X-'B@S .x CG,$?ˋ}P byx ŧ$NS?|T+ K+ Sq|h/]7,{՗ΚG<|Xyx8~']f(FRqO\||8(>^tobohi/=i%-9EKB޴i B"Ewl:W񲞽P7v r̳G`bhP7]Ө+jE&I#;ov[b$- U.aT+nu; o]F'e1T>\JBS+$WY/WfTNƇZJ܄;66BKFslx61oj%