IE Flaws Should Come as No Surprise

Developers have been warned about the risks of IE, and specifically of ActiveX.

Far too much of whats on the Web is only tested for use with Internet Explorer, with only casual interest in fixing any problems that might arise with other tools. I find these IE-specific sites when my usual browser, Mozilla, or my backup browser, Opera, arent able to load a page.

When that happens, if I really and truly need that content, Ill fire up IE. More often than not, though, Ill find what I want somewhere else. As more users start using non-IE browsers as their preferred means of Internet access, I hope that sites will discover that their casual attitude toward content delivery is too costly to retain.

No one should get away with saying that the risks of IE, and specifically of ActiveX, caught them by surprise. In 1997, Microsofts Charles Fitzgerald told a group of Web application developers that if they wanted security on the Internet, they could unplug their computers. "We never made the claim up front that ActiveX is intrinsically secure," said Fitzgerald, then program manager of Microsofts Java team.

Lest anyone think that Fitzgerald was stating a rogue position, it was in that same year that Cornelius Willis, Microsoft group product manager for Internet platforms, gave the justly infamous warning, "We are concerned that users understand that all executable content on the Internet is potentially dangerous … The basic message here is: dont take candy from strangers." I suppose that "potentially dangerous" is sort of an average between "conceivably dangerous"—for example, an obscure implementation flaw in Java—and "intrinsically dangerous," the label that I unhesitatingly apply to ActiveX.

If 1997 seems too much like ancient history, we can always take a shorter trip in the Wayback Machine to this past September, when we learned that ActiveX controls with known security problems could readily be reinstalled on a users machine if that user was rash enough to trust content signed by Microsoft Corporation. As I added upon learning of this problem, "the system not only comes out of the box unsafe, it almost appears designed to ensure that it stays that way."

With all of this as background, pardon me if Im more exasperated than sympathetic with anyone whos finding it inconvenient to eschew all use of ActiveX. Im not completely lacking in sympathy: I know that I have to fight a constant battle for design and delivery of Web content based on standards, preferably on the common subsets of standards that are well supported by all reputable browsers.

But I do manage to get through most weeks without telling Norton Internet Security to let pass even a single ActiveX control to load on my machine. The only exceptions are specific services like some of the Web conferencing platforms used by many vendors to give me product demonstrations; I dont approve, but Im willing to tolerate these special cases.

Microsoft has taken the position that any recent version of Windows including Internet Explorer is "a single, integrated product." Well and good. When there are things that I want to do on Windows that need the IE piece of Windows, accessing known resources from trusted parties via Internet connections, Ill do them if Im sure I can do them safely.

But when I want to use the Web—that is, the standards-based platform on which I can use a variety of content and engage in secure transactions with previously unknown parties—Ill use an application designed for that purpose. And that, it appears, does not mean IE.

Technology Editor Peter Coffee can be reached at

To read more Peter Coffee, subscribe to eWEEK magazine.


Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page