Is ActiveX Evil?
Is it safe to install ActiveX controls when websites prompt me to do so? I've read that ActiveX is a security risk, and should be avoided. What's your opinion of ActiveX?
Is It Safe to Use ActiveX Controls?
Let's start with a definition... ActiveX is a Microsoft programming framework that was introduced to Windows and Internet Explorer in 1996. Although it is often referred to as a programming or scripting language, ActiveX is more accurately defined as a set of rules established by Microsoft that govern how applications written in other languages share information. In Internet Explorer, ActiveX serves a function similar to Java, but without Java's security safeguards.
An ActiveX control (sometimes called an add-on) is a set of instructions that, when installed on a computer, enable specific actions. For example, an ActiveX control developed by Adobe Systems enables Internet Explorer to display Flash, Acrobat, and other types of multimedia content. Some online games require the use of ActiveX controls. Microsoft uses ActiveX controls to install security updates via Microsoft Update.
Typically, an ActiveX control is downloaded through Internet Explorer the first time it is needed; that is, the first time content that requires the ActiveX control is encountered by Internet Explorer. ActiveX controls may be thought of as plugins or addons for the IE browser.
The problem is that ActiveX allows a program to make unrestricted changes to the user's computer. An ActiveX control can enable a rogue program to delete, modify, transmit, or do anything else to data discovered on the computer. In fact, ActiveX can enable hackers to take full control of a PC! That's obviously a problem from a security standpoint.
It's important to note that ActiveX is a Windows-only critter, and is specific to the Internet Explorer browser. Websites that require ActiveX will not work on Linux or Mac systems. Firefox and Google Chrome do not support ActiveX technology for these reasons. But you can install the "IE Tab" extension, which enables Firefox or Chrome to use ActiveX extensions by interfacing with Internet Explorer.
Would You Sign This For Me?
Microsoft addressed this issue by establishing a registration system for ActiveX controls though "signing authorities" such as Verisign. Authors of ActiveX controls are supposed to register their controls and add a digital signature that can verify that the author is who it claims to be.
Some websites require that you download and install an ActiveX control in order to view the content. When this happens, Internet Explorer will ask if you want to proceed. In theory, it should be safe to let IE download and install signed ActiveX controls. But in truth, a signature just means that the author is identified. It says nothing about what the ActiveX control may do to your computer. If you know and trust the control's author (say, Microsoft or Adobe Systems), that's fine. But if a verified author is "Joe Blow Software," you really don't know any more than an unsigned control tells you.
Making things more confusing, there are harmless ActiveX controls whose authors don't bother to get them signed. This is common with ActiveX controls developed in-house for corporate intranets. If you encounter one of these, your help desk or IT support should advise you how to proceed.
It's possible to disable ActiveX, but you lose a lot of functionality in Internet Explorer and other components of Windows. Even Microsoft Office employs ActiveX, so I would not recommend disabling it.
So, to your question "Is ActiveX Evil?" I have to say no. Personally, I've never encountered a malicious ActiveX control in the past 15 years since they came on the scene. But there are no guarantees with ActiveX controls. The better question is whether or not you should allow IE to install an ActiveX control. The best guidance I can give you is to carefully consider the source of any ActiveX control. If the Web site offering the control is one you trust, and the control is signed, then it's probably safe. If it's a game or widget on some site you've never visited before, I'd skip it.
Have you ever had a problem with an ActiveX control? Post your comment or question below...
This article was posted by Bob Rankin on 17 Feb 2012
|For Fun: Buy Bob a Snickers.|
Ten Steps to Securing Your New PC
The Top Twenty
Sync Your Passwords on Windows, Mac and Smartphones
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Is ActiveX Evil? (Posted: 17 Feb 2012)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Is ActiveX Evil?"
17 Feb 2012
I have to say that I am puzzled and maddened by Active-X controls. I receive a periodic announcement from a business associate, and it is always heralded with a loud ERROR noise, saying that Active-X controls have prevented display of certain elements.
This individual is not a sophisticated user; he makes up an announcement in Word, then cuts and pastes it into his email client and sends it. I have offered to bulk email his stuff for him, as he has to send groups of no more than 100, etc.
He isn't putting any dancing bears or anything sophisticated in this message, and I find it unnerving to get this loud error message, when neither of us have done anything wrong.
I would welcome more information on this, but I am annoyed by the information you imparted which hints that Microsoft is taking charge of elements on my computer!
P D Sterling
17 Feb 2012
It would have been good to know how to know if Active X is on one's computer and if desired how to disable it. Please advise.
EDITOR'S NOTE: ActiveX is on ALL Windows computers. Disabling is not recommended, but you can go to Tools / Security / Internet Zone / Custom level and then uncheck the desired radio buttons.
17 Feb 2012
Thanks for this helpful and thorough explanation. Even dedicated Google Chrome users need to employ Internet Explorer to play some of our MSN games...
18 Feb 2012
Thanks. I used to have the same problem in emails received as described by pdsterling above. Why? Also, I sometimes have the message "An ActiveX on this site (page) has failed to work". I sometimes can but sometimes cannot tell what is missing from the page (i.e. it seems perfectly normal). What goes wrong and what can I do about it?
18 Feb 2012
What would be more intresting would be to have a widespread virus circulate that corrects the security holes in ActiveX, that works better than the original.
18 Feb 2012
Just a note of thanks for explaning ActiveX. I have been very confused about it until I read this article. Thanks so much for all of the info that you are so willing to share.
19 Feb 2012
As usual this guy should stick to writing what he knows about if anything !
LOL / apparently is not aware of their infected/infested computer. ANYONE knows this can not be correct with a windows 'puter.
EDITOR'S NOTE: Huh, what? I have no idea what you're trying to say here.
WRONG. ActiveX Control have NEVER an "add-on" except by apparently askbob . Java "Downloaded Program Files" (proper title) are located at --- C\WINDOWS\Downloaded Program Files and are NOT ActiveX control per
se by name or operation.
EDITOR'S NOTE: Again, what? If I understand your garbled grammar, you're quibbling over my use of the word "add-on"? And I never said that ActiveX and Java are the same thing. I did say that it "serves a function similar to Java."
WRONG. The user is in full control of their computer and browsing and installing software. They give their permission. The User gives permission for these and are aware that they are operating as expected as they navigate the world wide web and some or many softwares installed. Active X does not allow any program to make "unrestricted changes" to anything. It is a blue moon one even gets updated in some manner. They cost money and if it ain't broke don't fix it.
EDITOR'S NOTE: I read that several times and I think you're saying that it's the user's fault if they download a rogue ActiveX control, because they gave permission and should have known better. Hmmm...
WRONG. Now this is an outright lie !!! askbob is comparing any type of ActiveX in the computer to the RAREST malware event of left over malware items from an unclean removal that are a danger as to being re-used by a very volatile severe threat already installed or may be or worst - a rootkit may hide behind these to avoid detection. askbob in his ignorance is really scaring people !!! How much this never got posted ? ! (I do IT Security and Forensics)
EDITOR'S NOTE: Well, I had misgivings about doing so. You know that old saying "Freedom of the press only applies to those who OWN one." But here it is... I'll you all decide if I am I a liar and a scaremonger.
21 Feb 2012
I am confused by Gerald309's comments as well.
I have been enjoying your eletter for at least a couple of years now. Please continue.
22 Feb 2012
Over time, I've acquired a lot of useful tips (concerning a whole range of subjects with respect to PCs) and small pieces of highly useful software — e.g., 'WizMouse', 'WinSplit Revolution', 'Ducklink Capture' and 'PasteCopy.net', to name but four — from a French-language website, PC Astuces - www.pcastuces.com. The website publishes extensive guidance regarding how to apply the tips and use the software.
So when I install some software and Windows tells me it can't verify the source, I tend never to worry. PC Astuces have tested everything for me beforehand.
(Incidentally, those two last-named bits of software (above) are the fastest way I know to acquire content that takes my interest from websites. Stompin'.)
25 Feb 2012
YES, ACTIVE X IS EVIL. IT IS USED BY MALWARE AUTHORS TO TRICK INEXPERIENCED COMPUTER USERS INTO CLICKING ON SOMETHING THAT ALLOWS MALWARE TO BE INSTALLED ON THE COMPUTER. ONCE INSTALLED THE MALWARE AUTHOR BASICALLY OWNS THE COMPUTER. WHO EVER CREATED ACTIVE X IS AN IDIOT. IN FACT MOST OF THE PEOPLE WHO HAVE ENGINEERED SOFTWARE THAT IS RELATED TO WINDOWS OS SECURITY ARE IDIOTS.
30 Apr 2012
Is there a secure link so I may install and pay for active x for my computer? I have been experiencing a major virus and active x keeps popping up to fix the errors. I'm really worried about using my credit card to pay for anything while my computer is the way it is. I usually use microsoft security essentials but it's obviously not working and has been disabled by active x. I just need a secure link to purchase the software so it will stop prompting me to! It's so annoying, I just want my computer fixed and I don't have my original computer disk to reprogram my computer... A secure link would be appreciated!