The Lame Blame of ActiveX

Opinion: ActiveX gets a bad rap as the cause of all of Internet Explorer's security woes. But it's just not so.

For the thousandth time I have just seen a mainstream media tech writer tell users that "ActiveX controls [are] the prime conduit hackers use to subvert computers" and that users can make their browsing safer by disabling ActiveX.

Old myths die hard! Theres no doubt that Internet Explorer has more than its fair share of security holes, but very few of them have to do with ActiveX. Seriously, of the perhaps hundreds of vulnerabilities of any import reported in Internet Explorer over the years, I bet you could count on two hands the number related to ActiveX.

As with programs that have nothing to do with ActiveX, the really serious bugs in Internet Explorer have been due to insufficient input validation between security zones or traditional buffer overflows. These are the staples of the vulnerability research business, and Mozilla and Firefox—and lets not forget Opera—have had their share of these, too.

Lets review: What exactly is ActiveX and what does it do thats supposedly so dangerous? ActiveX controls are packages of code that can run in the context of the browser. They are installable through a link on a Web page. Exactly how different is this from having a link to an executable file that you have to explicitly run? Essentially not at all, except that the ActiveX version is more convenient. Even with Firefox you can download and run an executable file. Does this make Firefox unsafe? In fact, Mozilla and Firefoxs support for XPCOM, a plain text and platform-independent software model, is very comparable to ActiveX once you get the user to click "Yes."

The complaint against ActiveX has always centered around the ability to install native code from across the Internet, but this is less unusual than it seems, and ActiveX arguably makes things more secure. When you encounter an object tag referencing a control that you do not have installed, you then have the opportunity to install it. Under the default security settings, you will be warned before this happens and given an opportunity to approve or reject the installation. Theres more.

From the very beginning, ActiveX has supported digital signatures of the code, and the user gets a chance to inspect the signature. The point of the signature is not to prove that the program is safe or honest, but that the authors of the program are who they claim to be. In a way this has been a failure because it needs to be easier to follow all the signature information provided by ActiveX to understand exactly what it proves. But the information is there for whoever wants to confirm it.

There has been some controversy over misleading names of adware companies provided in signatures. This is an interesting stress case for digital signatures, but the important point here is that its not the reason people say ActiveX is unsafe.

A better example is a small number of cases where legitimate ActiveX controls from Microsoft and third parties were marked as "safe for scripting" (a programming term meaning that other programs can use them in scripting applications) even though these controls performed potentially dangerous operations and their access should have been restricted. Perhaps there have been more of these than has been publicized, but theres no actual evidence of it.

While there has been a striking lack of actual evidence that ActiveX is unsafe, there has been no shortage of baseless assertions and cheap shots against it. My favorite was the "Internet Exploder" incident in which Sun actually paid someone to write a malicious ActiveX control. I was there at JavaOne when they demonstrated it (I think it was 1997). The test system brought up all the warning dialogs about the program that you usually get and the Sun employee actually had the nerve to keep whacking on the enter key quickly so they would close as quickly as possible and didnt mention that there were any such warnings. Meanwhile, they also didnt mention that a signed Java applet could also perform dangerous privileged operations and would provide similar warnings. Most ActiveX criticism is simply uninformed, but this example was hypocritical and dishonest.

Ive been following this stuff for a long, long time, much longer than Ive been writing specifically about security. From the time it was announced as part of Internet Explorer 3, ActiveX has been controversial. At the time it was (ridiculously) contrasted with Java applets. Of course, Java applets are just a funny story from the history of computers now, but ActiveX is still around and for good reason: Its very useful when used with care, and its no more dangerous than any other type of program you run on your computer.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.