Developer

The ActiveX Files

Microsoft claims ActiveX is perfectly safe, but others say it's a huge security risk. This week, Ed Bott recommends a report that offers an unbiased evaluation of ActiveX. Check out the details and take a shot at Ed's latest challenge.


Do you really know how ActiveX technology works? Is it a frightening security risk? A powerful extension to Windows? Both? Until recently, trying to get unbiased information about the subject was next to impossible, because the dialog included only two participants with diametrically opposed points of view. On one side, you have Microsoft arguing that its ActiveX framework is perfectly safe except for occasional problems like the one described in this security bulletin, which can be easily patched. On the opposite side, you have legions of Microsoft bashers who are convinced that ActiveX wreaks havoc and destruction wherever it goes.

After years of this loud, unproductive wrangling, someone has finally produced an impartial, clear-headed, thorough look at ActiveX and its security implications. The truth is out there in a 53-page report titled “Security in ActiveX.” Available for free download as a PDF file, the report was produced by a blue-ribbon group of experts under the auspices of the Computer Emergency Response Team (CERT) at Carnegie Mellon University. After a searching study of ActiveX, this group concluded that the ActiveX architecture does indeed offer compelling benefits for some organizations, but it also make the case that ActiveX poses serious security risks to any organization that doesn't vigilantly monitor its systems.

If you're too busy to read the full report, I urge you to at least print out "Suggestions for System Administrators and Security Personnel" on page 12, so you can pass it along to whoever is in charge of your organization's security policy. Then, skip ahead to page 30 and read the brief set of "Suggestions for Users Who Administer Their Own Computers." The discussion of Microsoft's Outlook Security Update is the clearest I've ever seen, and the report includes alternatives to that problematic patch.

Still not convinced that you should take ActiveX seriously? How about a small demonstration? Before he became chief technology officer of the Privacy Foundation, security expert Richard M. Smith created a simple Web page that shows how seemingly innocent ActiveX controls can be turned against their owners. Click the ActiveX Security Check Page to see how your system measures up.

I've never been able to shake a nagging mistrust of the fundamental principle behind ActiveX. After all, ActiveX controls are nothing more than software, potentially powerful binary programs that can be delivered over a network, installed automatically, and controlled from nearly anywhere. Shouldn't you keep a close eye on any software that appears on your PC?

Two TechRepublic members who responded to this week's challenge agreed with this perspective. RGershbock wrote, "Just when you thought it was safe to stick your nose out onto the ‘Net... The report was a real eye-opener, and we will be implementing controls once we figure out what controls make any sense.

"Ultimately, we may need to look to Microsoft to rebottle this genie. This may require a limited-capability VM initiated for each control invocation (which would give you a sandbox). The alternative is a general avoidance of all ActiveX, which the user community would have to impose on Web sites by avoiding sites that do not convert their ActiveX to a "safer" Java. (No, I do not really believe that Java is harmless either.)

"Thank you, Ed. You have made my day."

TechRepublic member dlw6 said we should have seen this coming: "When I first became aware of the growing number of exploits that used ActiveX as a vehicle, I brought it to my boss, and he gave me permission to stop it. This was in the summer of 1999. Users didn't know ActiveX from Active Server Pages, and we shouldn't expect them to know, so there wasn't any use telling them to avoid ActiveX. I reconfigured our network security scanner (ISS RealSecure) to 'kill' (TCP Reset) any ActiveX traffic.

"It was transparent to the users, except for a few goof-offs who were using the Web for entertainment instead of work, and they didn't want to admit that. To date, no one has justified an official-business need for ActiveX."

These two TechRepublic members split this week's allotment of TechPoints. To add your input to the ActiveX debate, click the Discussions link below.

Here's Ed's new Challenge
My quest to build a brand-new Windows dream machine for 2001 continues. This week, I'm focusing on the CPU. For years, with only a few brief exceptions, I've built or bought machines with Intel CPUs. If I stick with that attitude in this new millennium, am I cutting myself off from the most powerful processor? I've got 2,001 TechPoints to exchange for your opinions about the current crop of high-speed CPUs from Intel, AMD, and any other chipmaker that deserves serious consideration. Want to earn the points? Don't just tell me the P4 rocks or Duron rules—I'm looking for well-supported opinions and links to great sources of unbiased information on which hardware works best with Windows. If you think you've got the CPU for me, take a shot at this week's Microsoft Challenge. And don't forget to include those links!

Editor's Picks

Free Newsletters, In your Inbox