ActiveX: Difference between revisions

This article does not cite any sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "ActiveX" – news · newspapers · books · scholar · JSTOR (August 2007) (Learn how and when to remove this message)

ActiveX is Microsoft technology used for developing reusable object oriented software components. ActiveX is an alternate name for OLE automation (OLE - Object Linking and Embedding), not a separate technology. ^{[citation needed]} While the term "Automation" refers to the overall technology, "ActiveX" refers to the objects that can be created and manipulated using Automation. ^{[citation needed]}

Due to Internet Explorer and Visual Basic's popularity in the late 1990s, many people incorrectly assume that all of ActiveX is related to ActiveX controls. ^{[citation needed]} An ActiveX control is a special type of ActiveX object that is designed to be used similar to a plugin. ^{[citation needed]} The most common use of ActiveX controls is to build plugins for Internet Explorer. ^{[citation needed]}

With today's standards and common practices, most web browser configurations notify and prompt the user prior to the download of an ActiveX control. This can be a difficult choice if there is no guarantee or indication as to the function of the component and the requirement of the web page. Once the user accepts and the component is downloaded, considerable latitude is achieved - the ActiveX control now has the same privileges as the user. This poses security risks that including reading from, and writing to, the registry; manipulation of the user's local file system; and alteration of security rights.

While there are legitimate uses that provide visual display of web content or can functionally enhance the system, there are ActiveX components designed in such a way as to bring about significant malicious and damaging affects. ActiveX technology has been a handy an efficient vehicle for spyware/adware distribution, as well as activation and even propagation of malware. Programmers can embed spyware, Trojan horses, and virus infections to create rogue ActiveX technology.

A typical scenario would involve surfing to a site to play a game online. When coming to a site, the user is presented with a message stating that a download is required. In many instances, an ActiveX installation is required. In some cases, this is accompanied by a security warning dialog and possibly even a privacy policy, and typically, the expected outcome results. However, there are other outcomes where the results are not expected and certainly are undesirable. Some installations of Active X lead to a dialog prompt stating access to a web site is required. After enabling the connection, installations are initiated and icons are generated in the system tray. Now, the user begins to get pop-up and pop-under advertisements that generate repeatedly and cannot be turned off without removal of the unwanted software and distributed elements. By displaying traffic logs, we could see that certain http connections to the makers of adware exist and are actually proliferating. Removal is not straight-forward as standard uninstall procedures fail to remove the problem.

Security depends on best practices and proper judgment. The challenge lies in the inability to preview the outcome of accepting Active X downloads on your system. While some Active X installs include digital signatures from authors of the program, this can be a false sense of security unless knowledge and trust of the author is established in advance.

One recent concern involves the designation of "Safe for Scripting" components. This has been used in several worm virus attacks. Microsoft warns designers that marking the ActiveX control safe for scripting leaves the control vulnerable to manipulation. In these situations, an attacker can repurpose the control for their own use. Another main concern is that the wide majority of ActiveX components are not digitally signed due to expense and the technical nature of this process. In many cases, users have limited knowledge of the authors of digitally signed Active X programs.

With the growing need for ActiveX on many of today's web sites, it is more than likely that malicious activity will increase. While good judgment is always recommended, it cannot in all cases provide coverage against all spyware and adware attacks. While some of these attacks can be mere annoyances, others can be severe and can result in damage or degradation of the system, loss of confidential information, and loss of money. One such example of a costly spyware attack that utilizes ActiveX is referred to as a "dialer". A dialer makes long-distance calls via the computer's connection to a modem or ADSL without triggering or displaying any alerts.

While avoiding downloads altogether, using caution when surfing the Internet, and using best judgment practices are viable means of prevention, there is no guarantee that all unwanted items are kept from being downloaded to your system. A thorough and effective tool that can detect and remove malware infections is also essential.

• Active Setup
• Windows DNA
• Internet Explorer