Is ActiveX Evil?
Is it safe to install ActiveX controls when websites prompt me to do so? I've read that ActiveX is a security risk, and should be avoided. What's your opinion of ActiveX?
Is It Safe to Use ActiveX Controls?
Let's start with a definition... ActiveX is a Microsoft programming framework that was introduced to Windows and Internet Explorer in 1996. Although it is often referred to as a programming or scripting language, ActiveX is more accurately defined as a set of rules established by Microsoft that govern how applications written in other languages share information. In Internet Explorer, ActiveX serves a function similar to Java, but without Java's security safeguards.
An ActiveX control (sometimes called an add-on) is a set of instructions that, when installed on a computer, enable specific actions. For example, an ActiveX control developed by Adobe Systems enables Internet Explorer to display Flash, Acrobat, and other types of multimedia content. Some online games require the use of ActiveX controls. Microsoft uses ActiveX controls to install security updates via Microsoft Update.
Typically, an ActiveX control is downloaded through Internet Explorer the first time it is needed; that is, the first time content that requires the ActiveX control is encountered by Internet Explorer. ActiveX controls may be thought of as plugins or addons for the IE browser.
The problem is that ActiveX allows a program to make unrestricted changes to the user's computer. An ActiveX control can enable a rogue program to delete, modify, transmit, or do anything else to data discovered on the computer. In fact, ActiveX can enable hackers to take full control of a PC! That's obviously a problem from a security standpoint.
It's important to note that ActiveX is a Windows-only critter, and is specific to the Internet Explorer browser. Websites that require ActiveX will not work on Linux or Mac systems. Firefox and Google Chrome do not support ActiveX technology for these reasons. But you can install the "IE Tab" extension, which enables Firefox or Chrome to use ActiveX extensions by interfacing with Internet Explorer.
Would You Sign This For Me?
Microsoft addressed this issue by establishing a registration system for ActiveX controls though "signing authorities" such as Verisign. Authors of ActiveX controls are supposed to register their controls and add a digital signature that can verify that the author is who it claims to be.
Some websites require that you download and install an ActiveX control in order to view the content. When this happens, Internet Explorer will ask if you want to proceed. In theory, it should be safe to let IE download and install signed ActiveX controls. But in truth, a signature just means that the author is identified. It says nothing about what the ActiveX control may do to your computer. If you know and trust the control's author (say, Microsoft or Adobe Systems), that's fine. But if a verified author is "Joe Blow Software," you really don't know any more than an unsigned control tells you.
Making things more confusing, there are harmless ActiveX controls whose authors don't bother to get them signed. This is common with ActiveX controls developed in-house for corporate intranets. If you encounter one of these, your help desk or IT support should advise you how to proceed.
It's possible to disable ActiveX, but you lose a lot of functionality in Internet Explorer and other components of Windows. Even Microsoft Office employs ActiveX, so I would not recommend disabling it.
So, to your question "Is ActiveX Evil?" I have to say no. Personally, I've never encountered a malicious ActiveX control in the past 15 years since they came on the scene. But there are no guarantees with ActiveX controls. The better question is whether or not you should allow IE to install an ActiveX control. The best guidance I can give you is to carefully consider the source of any ActiveX control. If the Web site offering the control is one you trust, and the control is signed, then it's probably safe. If it's a game or widget on some site you've never visited before, I'd skip it.
Have you ever had a problem with an ActiveX control? Post your comment or question below...
This article was posted by Bob Rankin on 17 Feb 2012
|For Fun: Buy Bob a Snickers.|
Ten Steps to Securing Your New PC
The Top Twenty
Sync Your Passwords on Windows, Mac and Smartphones
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Is ActiveX Evil? (Posted: 17 Feb 2012)
Copyright © 2005 - Bob Rankin - All Rights Reserved