ActiveX: Is it Better to Disable it?
The US Computer Emergency Readiness Team (US-CERT) recently made headlines when it advised users to disable ActiveX in their Internet Explorer (IE) browsers by changing IE’s Internet security setting to “high.” The impetus for US-CERT’s announcement was the discovery of several new ActiveX vulnerabilities in ActiveX plug-ins for Facebook and MySpace and Yahoo’s music services. To the best of my recollection, although various individuals have recommended disabling ActiveX, no major organization has previously made such a recommendation. The recently discovered vulnerabilities were only a few of many in ActiveX that have been identified over the years; many allow malicious code that runs with SYSTEM privileges (the highest level of privileges in Windows systems) to be injected into Windows systems, thereby allowing perpetrators to take complete control of victim systems.
After considerable deliberation concerning this issue, I feel compelled to side with US-CERT’s position on ActiveX. Given that so many of today’s cyberattacks are against Web browsers and also that this problem is if anything getting worse, users and organizations are going to have to adopt more stringent security measures if they are going to avoid falling prey to one or more of the myriads of types of malicious code that exist today. Disabling ActiveX is clearly one of these measures to be strongly considered. At the same time, however, IE is by far the most prevalent type of Web browser used today, so Web site developers almost invariably make their sites IE-compatible. Not surprisingly, therefore, ActiveX is also a critical part of the functionality of many Web sites; without ActiveX, sound effects and animation often do not work. Disabling ActiveX thus has a real downside. Other browsers such as Mozilla Firefox do not support ActiveX, so simply switching browsers is not really a viable solution if one wants to continue benefiting from ActiveX functionality, either.
Information security invariably requires balancing costs versus benefits. There is a definite cost involved with disabling ActiveX, but given the huge toll (financial cost, disruption, loss of reputation, and so on) of today’s ActiveX-related security incidents, disabling ActiveX appears to be the better alternative at this time. Additionally, if a significant portion of the user community avoids using ActiveX, Microsoft will almost certainly get the message and react by substantially improving ActiveX security, just as this software giant has already done with Windows operating systems, the Internet Information Server (IIS), and other products that it makes.