The same things that make ActiveX so useful -- its flexibility and integration between all applications -- make it particularly dangerous in the hands of malicious hackers. Many of the past decade's most infamous computer viruses, spyware and adware programs came disguised as ActiveX controls. The problem with ActiveX, security experts say, is that Microsoft gives the individual user too much responsibility in patrolling his or her PC security [source: SecurityFocus].
Java applets, which perform many of the same functions as ActiveX controls, are heavily restricted as to how they interact with a user's PC. For example, Java applets can't erase files from a user's hard drive [source: CNET]. That's called sandboxing an application. ActiveX is not sandboxed at all. Once downloaded on a user's computer, the ActiveX control becomes part of the operating system with the ability of tampering with every piece of hardware and software on the machine.
Instead of restricting ActiveX's functions, Microsoft chose another security route. Every time Internet Explorer needs to download a new ActiveX control, it launches a pop-up window asking the user if he wants to proceed. The user, then, has to decide whether the ActiveX control is legitimate or a Trojan Horse for nasty code. To help with that decision, Microsoft gave the creators the ability to sign their applications. These digital signature certificates are double-checked and certified by services like VeriSign.
The problem is that many users don't think to look for digital signatures -- or wouldn't know what they meant even if they saw them -- and just say "yes" to the download without giving it a second thought.
In response to widespread criticism of the ActiveX vulnerability, Microsoft increased ActiveX security with the release of Internet Explorer 7, disabling all but the most common ActiveX controls -- Windows Media Player, Flash Player, Adobe Reader, et cetera -- and improving the user notification process before downloading new controls.
A simple way to avoid the security headaches of ActiveX is to use a different Web browser, like Safari, Firefox or Opera, that doesn't accept ActiveX controls. But if you're most comfortable using Internet Explorer, and you like the way it interfaces with other Windows applications, there are ways to improve your ActiveX security:
- From the Internet Explorer menu bar, go to Tools > Internet Options > Security > Internet > Custom Level
- In the category called "ActiveX controls and plug-ins," disable every one of the options
[source: Surf the Net Safely]
This'll cause some Web sites you've used in the past not to work anymore. But you can easily download those essential ActiveX controls again, this time with more awareness of what you're doing.
For even more information about ActiveX, Internet technology and related topics, check out the links on the next page.