Just How bad is ActiveX

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Ok - I've seen the various posts in the archive so I know that ActiveX
is not run in a sandbox and it has the same level of access as the
user. I know that you 'can' disable activeX or you can restrict it to
signed controls only (although a signed control can still be
malicious) and all these configuraiton options may have a negative
effect on the users's Internet browsing experience.

But I'm confused to see some reports of flaws in current ActiveX
controls - sure the Control can be abused to take over the User's PC
but if a malicious website wants to take over a user's PC why don't
they use their own ActiveX control? Is it that the majority of
companies do not allow ActiveX controls to be downloaded (they must
all be installed by IT)

Also are there practical limitations to what an activeX control can
Can it send crafted network packets (such as to exploit the recent MS
RPC vulnerability) or has it only got high level access to network

Is it relatively simple for an ActiveX control to be written to
quietly get the browser to set up a remote control session from an
external host or to get the ActiveX control to suck files off the

Any thoughts welcomed


Re: Just How bad is ActiveX

Quoted text here. Click to load it

You have just discovered why Firefox has become so popular a
recommendation among anyone with any security leaning whatsoever:
ActiveX can't be an issue on a browser that doesn't support it.
Firefox in a default install doesn't do ACtiveX.  :-)

Personally, I wouldn't trust ACtiveX security policy in IE any further
than I could throw Steve Ballmer.

But I am interested in answers to your question about the relative
difficulty of getting ActiveX controls installed without user

Best Regards,
Todd H.
http://www.toddh.net /

Re: Just How bad is ActiveX

comphelp@toddh.net (Todd H.) wrote in

Quoted text here. Click to load it

Conversely Firefox has no security for extensions. While the browser itself
MAY be secure there is no validation for extensions and there is a potential
for things to go awry. Here is a bit of background info:


Re: Just How bad is ActiveX

"bright" wrote:
Quoted text here. Click to load it

Exploiting vulnerabilities in installed ActiveX browser components is
just an easy way for criminals to run their code without the user
consenting or being aware of it. Why take the risk that a user might
decline to install something by making them decide? Of course, they do
that as well and people are still socially-engineered to run malware
in the form of BHOs (browser helper objects) or ordinary executable

Re: Just How bad is ActiveX

bright wrote:

Quoted text here. Click to load it

Because any vaguely sensible security policy would, at a minimum,
require user confirmation, before installing them from the internet or
untrusted zones (and should probably not allow unsigned ones at all).
Quoted text here. Click to load it

They can do anything that an ordinary .exe can do, when run by the user
of the browser.  I don't know the exact rules for Windows, but there are
some network operations that require Administrator access on Unix.

Note, as you implied an environment where user convenience was more
important than security, it may well be that the users do have
Administrator rights!

Generally, there is a strong correlation between the ability to produce
a "rich user experience" and the high security risks.

Quoted text here. Click to load it

Yes.  (It is possible that some firewall products may detect this, and
that some virus/spyware programs may also sense a risk.)

Re: Just How bad is ActiveX

On Nov 2, 10:42=A0am, David Woolley
Quoted text here. Click to load it
Agreed - we have that - but if the user has been fooled into thinking
that this is a safe website and if they are also being fooled into
clicking on a link then they will very likely click through any
We also block unsigned activeX but I gather (from messages in the
archives) that signing an ActiveX control is no big deal -
particualrly if the malefactor has access to stolen credit card
details (or other stolen IDs)

I guess the answer is to block all ActiveX downloads from the
untrusted zone but then we need to keep on top of installing controls

Quoted text here. Click to load it

Site Timeline