It's happened to all of us. You're surfing the Web, having a great time, learning things you never knew, meeting people you'll never "meet," watching videos and playing games, when suddenly a pop-up window appears.
It says that you need to download this thing called "ActiveX" to view the content on this Web site. Active what? You read somewhere that you should never download anything from the Internet that you don't recognize, so now you're stuck. Do you skip the site or do you take a gamble on ActiveX?
In most cases ActiveX is harmless. In fact, it can even be incredibly helpful. In Internet Explorer, ActiveX technology allows you to play video clips directly in the browser window. It's what allows you to watch Web animation and read .PDF files without opening up another application.
But ActiveX has also received more than its share of bad press. Over the years, hackers have disguised malicious programs and viruses as innocent ActiveX downloads. For the average computer user, one ActiveX download prompt looks just like another. The result can be a hard drive infected with spyware, adware and even infectious worms.
So what is ActiveX exactly? How can it be used for playing Flash movies and animated GIFs on Web pages? And what are some things you can do to protect yourself against ActiveX security threats? Read on to find out.
What is ActiveX?
ActiveX is a Microsoft-created technology that enables different software applications to share information and functionality. ActiveX only works with Microsoft applications like Word, Excel, Internet Explorer and PowerPoint, and will only work on a computer running the Windows operating system.
The idea behind ActiveX is that software applications don't need to be built from scratch. Early on at Microsoft, programmers realized that many of the same functions could be shared among different applications. For example, a spell checker is just as useful in a word processing program like Word as in an e-mail application like Outlook Express [source: Surf the Net Safely]. Instead of writing two separate versions of code for the same spell-checker, they created a spell checker object. This object lives on the Windows operating system. When any Windows application needs spell-checking functionality, it calls on the spell-checker object.
ActiveX technology began as object linking and embedding (OLE). In the early days of Windows, OLE allowed for simple cross-application functions like cut and paste. OLE evolved into the idea of a compound object module (COM). The spell checker is an example of a COM. It's an independent module, or applet, that can be accessed from any Windows application. COMs also allow for one program to be embedded into another. For example, you can insert and edit an Excel spreadsheet from within Word without ever opening the Excel application [source: IRT.org].
ActiveX and COM are essentially the same thing. An ActiveX control is another name for one of these "objects," "modules" or "applets" -- like the spell checker -- that run within larger applications [source: Surf the Net Safely].
ActiveX controls are mostly talked about in reference to Internet Explorer, the default Web browser for the Windows operating system. Let's say you open a Web page with Internet Explorer that contains video clips encoded as Windows Media files (.wmv). Internet Explorer comes pre-loaded with an ActiveX control that allows for Windows Media files to be played directly in the Web page [source: Mozilla]. In other words, you don't have to launch the Windows Media Player application separately. The ActiveX control accesses the functionality of the Windows Media Player behind the scenes and plays back the file in the browser window.
Another common ActiveX control plays Flash files (.swf). Internet Explorer can't play Flash files by itself. That's something only the Adobe Flash Player can do. But if a whole Web site is programmed in Flash, you don't want to launch the Flash Player to view it. So Internet Explorer gives you the option of downloading and installing the Flash ActiveX Control. The Flash ActiveX Control automatically detects when a site contains Flash files. It then accesses the Flash player functionality at the operating system level and plays the files directly in the browser.
ActiveX controls are small applications written in common programming languages like Visual Basic and C++. They're similar in function to Java applets, which are small programs that run within Web browsers. Applications that support ActiveX controls are called ActiveX containers. Each ActiveX control contains a unique number called a class identifier (CLSID). ActiveX controls that work within Internet Explorer are usually associated with a certain file or media type. This way Internet Explorer knows which control to launch -- Flash, Adobe Reader (for .PDFs), Windows Media Player -- for each type of file.
Now let's look at how you can use ActiveX to embed animations in a Web page.
Using ActiveX with Animation
ActiveX can be used to embed and play Flash movies or animated GIFs directly on a Web page. This is particularly useful for embedding animated advertisements like banner ads.
Let's start by explaining how to use ActiveX to display a Flash animation on a Web page. The first step is to create the complete animation in Flash and export it as a .swf file. Then you need to insert the correct HTML code into the Web page to activate the Flash Player ActiveX Control and play back the .swf file.
The first thing you do is give the embedded Flash animation a name or OBJECT ID. This is usually the name of the .swf file without the .swf extension. For example, if the file is called "dog.swf," the OBJECT ID would just be "dog."
Then you need to insert HTML code that tells Internet Explorer exactly which ActiveX control you want to use. This is done by entering the unique CLASSID of the Flash Player ActiveX Control, which is "clsid:D27CDB6E-AE6D-11cf-96B8-444553540000."
Now that Internet Explorer knows which ActiveX control you want to use, you can set several parameters that control the playback of the Flash movie [source: Adobe]. The first parameter is the name of the .swf file itself and its location on the server. Then you set parameters that control whether the animation plays automatically upon loading, whether the animation should loop continuously and whether to adjust the animated image's quality.
For even more control, there are parameters that allow you to go back a frame in the Flash movie, or jump forward. You can zoom in on a particular area of the movie and pan across the screen. You can also enter HTML instructions that tell Internet Explorer how to respond if someone clicks on the Flash movie or on a particular link in the movie
For an example of what the HTML code would look like for embedding a Flash file-"dog.swf," in this case go to Adobe.
The process is similar for embedding and playing an animated GIF on a Web page. A GIF, short for Graphics Interchange Format, is a lightweight image format that's useful for creating simple frame-by-frame animations. To design and animate the actual GIF, you'd use a program like Adobe ImageReady.
Once you've created your animated GIF, you'll need to choose an animated GIF ActiveX control. Unlike the Flash Player ActiveX Control, there's no universally recognized ActiveX control for playing animated GIFs on a Web page. Do a Web search for "animated GIF ActiveX control," and you'll find dozens of free ActiveX controls that you can download.
From here, the process is much the same as with the Flash animation. You'll need to enter HTML code between twotags that tells Internet Explorer what file you want to play and which ActiveX control you want to use (for this, you'll need the control's unique CLASSID number).
Animated GIF ActiveX controls offer many of the same parameters as Flash controls for handling the playback of the animation. You can set the animation to a continuous loop, autosize the animation to fit a window, rewind to the beginning of the animation, respond to mouse and keyboard events, et cetera.
Unfortunately, ActiveX has come under fire as a vulnerable security risk for hackers. Read more about it in the next section.
Problems with ActiveX
The same things that make ActiveX so useful -- its flexibility and integration between all applications -- make it particularly dangerous in the hands of malicious hackers. Many of the past decade's most infamous computer viruses, spyware and adware programs came disguised as ActiveX controls. The problem with ActiveX, security experts say, is that Microsoft gives the individual user too much responsibility in patrolling his or her PC security [source: SecurityFocus].
Java applets, which perform many of the same functions as ActiveX controls, are heavily restricted as to how they interact with a user's PC. For example, Java applets can't erase files from a user's hard drive [source: CNET]. That's called sandboxing an application. ActiveX is not sandboxed at all. Once downloaded on a user's computer, the ActiveX control becomes part of the operating system with the ability of tampering with every piece of hardware and software on the machine.
Instead of restricting ActiveX's functions, Microsoft chose another security route. Every time Internet Explorer needs to download a new ActiveX control, it launches a pop-up window asking the user if he wants to proceed. The user, then, has to decide whether the ActiveX control is legitimate or a Trojan Horse for nasty code. To help with that decision, Microsoft gave the creators the ability to sign their applications. These digital signature certificates are double-checked and certified by services like VeriSign.
The problem is that many users don't think to look for digital signatures -- or wouldn't know what they meant even if they saw them -- and just say "yes" to the download without giving it a second thought.
In response to widespread criticism of the ActiveX vulnerability, Microsoft increased ActiveX security with the release of Internet Explorer 7, disabling all but the most common ActiveX controls -- Windows Media Player, Flash Player, Adobe Reader, et cetera -- and improving the user notification process before downloading new controls.
A simple way to avoid the security headaches of ActiveX is to use a different Web browser, like Safari, Firefox or Opera, that doesn't accept ActiveX controls. But if you're most comfortable using Internet Explorer, and you like the way it interfaces with other Windows applications, there are ways to improve your ActiveX security:
- From the Internet Explorer menu bar, go to Tools > Internet Options > Security > Internet > Custom Level
- In the category called "ActiveX controls and plug-ins," disable every one of the options
[source: Surf the Net Safely]
This'll cause some Web sites you've used in the past not to work anymore. But you can easily download those essential ActiveX controls again, this time with more awareness of what you're doing.
For even more information about ActiveX, Internet technology and related topics, check out the links on the next page.