ActiveX problems continue
ActiveX refers to a group of technologies that Microsoft has incorporated into Windows and Internet Explorer (more detail is given at http://surfthenetsafely.com/activex.htm). A basic idea of this technology is to allow various parts of the system to interact with one another. This is all very well in theory but it allows ways for malware to use Internet Explorer as a gateway into your computer’s operating system. (Other browsers do not use ActiveX.)
ActiveX is an excellent example of how convenience and security can be inversely related as I discussed yesterday. Vista deals with the problem in part by running Internet Explorer with reduced privileges. Of course, running with reduced privileges negates some of the advantages that were the rationale for inventing ActiveX in the first place. Also, Internet Explorer 7 has been made somewhat more secure by changing the default settings for ActiveX so that functionality is reduced. Once more, this gains security only at the cost of partially disabling what was supposed to be a convenient and useful feature.
The fact that ActiveX exploits are an ongoing problem is illustrated by the statistics reported by Symantec in a post, “A Sudden Rise in ActiveX Vulnerabilities“. Naturally, Symantec has a vested interest in making security problems sound as bad as possible but I see no reason to doubt the trend that their numbers show. The article begins:
The year 2006 saw the rise of numerous security trends such as attacks against social networks, initiatives by researchers to sequentially disclose many flaws in Web browsers and operating system kernels, attacks being used for financial gain, and a dramatic increase in the number of vulnerabilities affecting Web applications. During the last few months of the year, I have noticed another trend that did not receive much attention. There has been a significant increase in the vulnerabilities that affect ActiveX controls. These vulnerabilities can facilitate an assortment of attacks that may simply cause the disclosure of sensitive information to an attacker or, in the worst-case scenario, allow them to execute code to gain unauthorized access to an affected computer.
At eWeek, Joe Wilcox comments:
Today, over at Symantec’s Security Response Weblog, Greg Ahmad reveals startling–and I do mean shocking–increases in ActiveX vulnerabilities.
What should the home PC user do about ActiveX? I’ll review some defenses against ActiveX problems tomorrow. Note that using a browser other than Internet Explorer helps prevent ActiveX problems but does not prevent them entirely. Internet Explorer is tightly integrated into the operating system and other software may make use of its functions (and suffer its ActiveX problems).
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Sol Libes sends this comment:
Here is my policy:
1)I do not enable ActiveX unless I have a damn good reason.
2) When I’m at a new site, I look at link destinations before I click
on them.
3) I have all MS Office scripting disabled so I don’t worry about
opening Office documents.