Time To Kill ActiveX?

Microsoft defends its ActiveX technology, but security researchers say it poses too many risks.

Thomas Claburn, Editor at Large, Enterprise Mobility

February 6, 2008

3 Min Read

Just because an ActiveX control is not safe, it isn't necessarily dangerous, Microsoft says.

Responding to several recent high-profile ActiveX vulnerabilities reported by security researchers since early January, Microsoft on Sunday came to the defense of its ActiveX technology. In a post on its Security Vulnerability Research & Defense blog, the company says that it has investigated reports of two ActiveX control vulnerabilities disclosed in early January and has come to the conclusion that they're not dangerous because Internet Explorer will not trust them to execute scripts.

"These ActiveX controls are not Microsoft products, and to the best of our knowledge, are not included with any Microsoft products," a spokesperson said in an e-mail. "However, Microsoft is committed to the security and safety of its customers and works with independent software vendors to investigate reported security issues."

Regardless of whether Microsoft or third-party developers are ultimately responsible, the safety of ActiveX controls is in doubt.

Earlier this week, Symantec identified six current vulnerabilities affecting ActiveX controls in Facebook, MySpace, and Yahoo applications among others. US-CERT responded by reiterating a longstanding recommendation to disable ActiveX controls as a way to make Internet browsing more secure. And a security researcher associated with the SANS Institute issued software to neutralize the risk posed by vulnerable ActiveX controls through the setting of "Kill-Bits."

Microsoft on Wednesday responded by publishing an explanation of Kill-Bits on the same security blog. "Kill-Bits must be issued to prevent old / vulnerable signed versions of controls from being effectively foisted on users," Microsoft explains.

Yet Microsoft's explanation of ActiveX euthanasia undermines its defense of the technology: If ActiveX is harmless, why provide a way to kill it?

Not everyone is so sanguine about the potential risks posed by ActiveX. In a paper published last week, a security researcher writing under the name "warlord" said, "Security issues seem to be a constant problem with ActiveX controls. In fact, it seems most vulnerabilities in Windows nowadays are actually due to poorly written third-party controls which allow malicious Web sites to exploit buffer overflows or abuse command injection vulnerabilities."

Milw0rm.com lists about 80 vulnerabilities involving ActiveX since the start of 2007.

Johannes Ullrich, CTO of the SANS Internet Storm Center, said that "warlord's" characterization of ActiveX is fair. "The big problem with ActiveX is ... these controls basically have full access to your system," he said. "If there's a flaw in any of the ActiveX controls, they can be used to compromise your system. All you have to do is visit a Web page that invokes the control."

Worries about Activex and similar technologies like Java aren't new. Back in 1997, Princeton computer scientist Edward Felten detailed the dangers. "Java and ActiveX do introduce some security risk, because they can cause potentially hostile programs to be automatically downloaded and run on your computer, just because you visited some Web page," he said. "The downloaded program could try to access or damage the data on your machine, for example to insert a virus. Both Java and ActiveX take measures to protect your from this risk."

At the time, Felten suggested the risks were minimal. "The good news is that there have been few incidents of people being damaged by hostile Java or ActiveX programs," he said. "The reason is simply that the people with the skills to create malicious programs have chosen not to do so."

Those days of innocence are long gone. Fast forward to 2008 and the people with the skills to create malicious programs are busy doing so.

For Ullrich, the answer is clear. "I think for now you just have to disable ActiveX," he said.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights