Skip redundant pieces

Become a fan of Be SeKUre on Facebook facebook.com/BeSeKUre
Follow us on Twitter! beseKUre
Send this page to a friend!
Enter recipient's e-mail:

The Breach Blog
F-Secure: News from the Lab
Podcasts
PaulDotCom Security Weekly
Security Now!
Security Bites

User login

HomeWhat the heck is ActiveX?

Reply to comment

What the heck is ActiveX?

Tue, 07/14/2009 - 15:30 — Julie Fugett

And why should you care?

If you've paid any attention to security news in the last 7-10 days, it's possible you've seen dire warnings about vulnerabilities in Microsoft ActiveX controls. For many people, these warnings aren't very meaningful--someone commented to me on Facebook that "...since I don't speak computer, I can't even figure out your post. :)"

That is really too bad--and might even be dangerous for others who also do not "speak computer." So let's try to break down what ActiveX is, what it does, and why it's important when someone figures out how to break it.

In computer-ese, ActiveX is a framework for developing software that ships with every single copy of Microsoft Windows. Programmers can use ActiveX controls within that framework to create programs that can run within Internet Explorer or other ActiveX-enabled web browsers.

In English, you can think of ActiveX as being a lot like Lego building blocks. You can take all sorts of different sizes and colors of blocks and put them together to build houses, or spaceships, or trucks. Whatever you like, really. The bad news is, however, that if Lego building blocks were truly like ActiveX controls, the spaceship you just built might randomly turn rogue and start firing its phasers at you and your pets.

Just as an example, there is an ActiveX control that allows you to view Excel spreadsheets directly in Internet Explorer. Spiffy, right? Saves you the time of downloading it, finding the file, opening it in Excel. The bad news is the bad guys found a way to cause that control to run malicious code on your system when you open a spreadsheet directly in IE. (Look out, I think I see a Lego spaceship behind you.) ITSO published an alert about this yesterday.

The reason ActiveX is so useful is, like the aforementioned building blocks, it is quite flexible. It is very tightly integrated into the Windows operating system. ActiveX isn't "sandboxed." That is to say ActiveX doesn't have a limited space in which it is allowed to play. It can (and does) go anywhere and do whatever it wants. Its only limitation is YOU. That's right--Microsoft decided to leave it up to you as to whether or not you allow those little programs do do their thing.

If you're not of the geeky persuasion, how on Earth are you supposed to know why an exploited ActiveX control is a Bad Thing? Other than the word "exploit," which you can pretty much assume means "bad," the phrases "exploited ActiveX control" or "0day vulnerability in ActiveX control" are pretty much meaningless to the layperson.

I do have some good news, however. There are things you can do to protect your computer from the issues presented by vulnerable ActiveX controls:

Switch to a web browser that doesn't use ActiveX
We've flogged the "stop using IE as your default browser" horse just about to death on this blog, but let's flog it one more time: STOP USING INTERNET EXPLORER FOR YOUR DAY-TO-DAY WEB BROWSING. Seriously. It's fine if you have a few websites that MUST have IE. Keep using them in IE. But if you're checking your e-mail, reading blogs, doing web searches? Use a non-IE browser. This solves so many problems that you may even be able to skip the rest of this post. (Don't skip it. There's good stuff coming up.)
Set killbits for vulnerable controls
"Setting a killbit" is fancy Microsoft talk for "disable the vulnerable ActiveX control in question." In the past, Microsoft would just tell you which one to disable and wish you luck. These days, they put out these nifty things called "Fix Its." You download the Fix It, run it, and it sets the killbit for you. No digging through the Windows Registry. When the IT Security Office issues an alert about vulnerable ActiveX controls, we will always link to the Microsoft Fix It if they've made one available.
Install security updates
Start-->Control Panel-->Automatic Updates. If "Automatic (recommended)" isn't selected, you're doing it wrong. Make sure that you've set Automatic Updates to check every day at a time when the computer is actually on. Don't set it to check at 3:00am if you don't leave your computer on overnight! Microsoft frequently releases patches and updates that fix some of the security problems introduced by vulnerable ActiveX controls.
Don't install ActiveX add-ons in Firefox.
You know that thing we said about getting away from browsers that use ActiveX? If you install an ActiveX add-on in Firefox, you've just invited the riff-raff in. Don't do it.
Mac people, don't e-mail me.
Blah blah, switch from Windows, blah. If it's a viable option for you, it's true--Mac OS X doesn't use ActiveX and doesn't have these issues. By virtue of its market share, its attack surface tends to be smaller. You should not assume, however, that using a Mac means you don't have to worry about security.

Finally, and I can't say this enough, ask questions. If you read something that sounds bad but you're not sure if it affects you? ASK! You can ask us, you can ask the IT Customer Service Center, you can ask your Technical Liaison. Don't just stumble blindly forward.

Further reading:
What is an ActiveX control?
Security Tradeoffs: Java vs. ActiveX Note: this article is quite old, but the basic information contained within is still a good explanation of the two technologies.
Wikipedia: ActiveX

Reply

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options