Home > Network Security > ActiveX: Is it Better to Disable it?

ActiveX: Is it Better to Disable it?

The US Computer Emergency Readiness Team (US-CERT) recently made headlines when it advised users to disable ActiveX in their Internet Explorer (IE) browsers by changing IE’s Internet security setting to “high.” The impetus for US-CERT’s announcement was the discovery of several new ActiveX vulnerabilities in ActiveX plug-ins for Facebook and MySpace and Yahoo’s music services. To the best of my recollection, although various individuals have recommended disabling ActiveX, no major organization has previously made such a recommendation. The recently discovered vulnerabilities were only a few of many in ActiveX that have been identified over the years; many allow malicious code that runs with SYSTEM privileges (the highest level of privileges in Windows systems) to be injected into Windows systems, thereby allowing perpetrators to take complete control of victim systems.

Vulnerabilities in ActiveX fall into two categories, implementation bugs and design weaknesses. ActiveX implementation bugs such as the ones that have recently been discovered are common, yet ActiveX does not really deserve to be singled out from among other types of Executable Content Languages (XCLs) because of the sheer number of vulnerabilities in it. Why? The answer is that many vulnerabilities have also been found in JavaScript, Visual Basic, and other XCLs, so many that focusing solely on ActiveX vulnerabilities really makes little sense. The second type of ActiveX vulnerabilities is the result of a security design problem in ActiveX, namely that ActiveX lacks proactive security mechanisms. ActiveX security to a large extent depends on “authenticode,” a mechanism in which a digital certificate that verifies the identity of the author of the code is provided with each ActiveX implementation. Authenticode thus makes it possible to trace the identity of malicious ActiveX code authors after Windows systems have been compromised, something that at best is a poor consolation. In contrast, other types of XCLs have at least some proactive security controls.

After considerable deliberation concerning this issue, I feel compelled to side with US-CERT’s position on ActiveX. Given that so many of today’s cyberattacks are against Web browsers and also that this problem is if anything getting worse, users and organizations are going to have to adopt more stringent security measures if they are going to avoid falling prey to one or more of the myriads of types of malicious code that exist today. Disabling ActiveX is clearly one of these measures to be strongly considered. At the same time, however, IE is by far the most prevalent type of Web browser used today, so Web site developers almost invariably make their sites IE-compatible. Not surprisingly, therefore, ActiveX is also a critical part of the functionality of many Web sites; without ActiveX, sound effects and animation often do not work. Disabling ActiveX thus has a real downside. Other browsers such as Mozilla Firefox do not support ActiveX, so simply switching browsers is not really a viable solution if one wants to continue benefiting from ActiveX functionality, either.

Information security invariably requires balancing costs versus benefits. There is a definite cost involved with disabling ActiveX, but given the huge toll (financial cost, disruption, loss of reputation, and so on) of today’s ActiveX-related security incidents, disabling ActiveX appears to be the better alternative at this time. Additionally, if a significant portion of the user community avoids using ActiveX, Microsoft will almost certainly get the message and react by substantially improving ActiveX security, just as this software giant has already done with Windows operating systems, the Internet Information Server (IIS), and other products that it makes.

Categories: Network Security Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.