Problem solve Get help with specific problems with your technologies, process and projects.

The dangers of ActiveX

Can you explain how ActiveX might infect (and wreak havoc) on my organization's network? What is the best way to protect against malicious ActiveX?

ActiveX is Microsoft's technology for packaging executable code and distributing it across the Internet, with a similar goal to Sun Microsystem's Java. Such programs are called ActiveX controls and they can do anything on your system if they are allowed to run.

The security model for ActiveX involves digital signatures of the code. If the code is written and signed by a trusted software developer, your Internet Explorer browser will run it. A good ActiveX control could implement a wonderful application, such as a mortgage calculator or an expense report tool. A malicious ActiveX control could completely hose your machine, stealing or deleting sensitive files, or installing spyware to watch your every move. The ActiveX control has every capability (and sometimes more) that the user sitting at the system has. So, anything goes, once the ActiveX control is activated. The user just surfs to the wrong site, the site shoots back a malicious ActiveX control, and if the browser trusts it, that machine is under the control of the bad guy.

But, how does the browser know which ActiveX controls to trust and automatically activate? This is where things get tricky. The IE browser has a list of trusted software developer certificates (under Tools->Internet Option->Content->Certificates->Advanced, you'll see "Code Signing"; that's the list of developers that your browser trusts). This list should be kept to a minimum. Additionally, by default, a user will be prompted if a Web site shoots back an untrusted control, asking the user if the control should be executed. This is very dangerous, and running an unsigned or untrusted control is like putting a gun to the users' head and asking the user if we should pull the trigger. Most users have no idea whether to pull the trigger or not.

To stop this possibility, you can configure IE so that it will never run unsigned ActiveX controls by configuring its security setting (Tools->Internet Options->Security) to "Medium" or "High", or creating a custom setting that sets "Download unsigned ActiveX controls" to "Disable." To go one better, you can disable all ActiveX controls (which I do myself for the Internet Zone) by selecting "Disable" for "Download signed ActiveX controls" and "Download unsigned ActiveX controls." You can do this on an enterprisewide basis using the Internet Explorer Administration Kit (IEAK) from Microsoft or through Group Policy if you have Active Directory deployed. Also, some firewalls can filter out ActiveX controls as well. Activating such functionality is a pretty good idea.

This was last published in January 2004

Dig Deeper on Microsoft Windows security