So what really is ActiveX and is it really an endangered species? ActiveX is a technology developed by Microsoft and which you often find in the form of Internet Explorer browser plugins or ActiveX controls. Now the thing is, ActiveX is not renowned for its security and is often named as the cause of vulnerabilities on PCs. What usually happens is that, by accepting any ActiveX plugin on your PC, you can open it up to any attack. According to Johannes Ullrich, CTO of the SANS Internet Storm Center, the real issue with ActiveX is that it gives “full access to your system”.
So in theory, anyone who manages to get you to install their ActiveX control on your PC could control it. It’s a bit more complex than that though, but you can quickly see how much damage could be done to your PC, notwithstanding the private information that could easily be stolen.
Last week, Symantec found six new vulnerabilities having to do with ActiveX controls in Facebook, MySpace and Yahoo among others. Another site, Milw0rm.com, lists over 80 ActiveX vulnerabilities it found in 2007. 80 alone in a year!
If ActiveX is so unsafe, why isn’t it abandoned altogether then? One of the reasons is how practical it is for developers. The great thing with ActiveX components is that you can control an application without actually using it. Any object can be queried via a list of pointers that the developer creates himself. All in all, this means the developer can easily make an ActiveX control designed for a specific function. Built specifically for Windows, ActiveX controls can yield a lot of control over the Windows operating system.
Another good thing about ActiveX components is how easy they are for anyone to install. They literally take seconds to set up and work immediately.
The frequency with which PC vulnerabilities related to ActiveX appear really do bring into question whether or not the technology should still be around. If you worry about your PC’s security one of the best recommendations you can still get nowadays is to disable your ActiveX. Until the technology is officially abandoned, it’s probably the best thing to do.