Networking / Beginners

ActiveX

ActiveX is Microsoft's implementation of applets. An ActiveX control is a component that functions as a self-sufficient program object that can be downloaded as a small program or used by other application programs. ActiveX controls are apparent throughout the modern Windows platform and add many of the new interactive features of Windows-based applications, and especially Web applications. They also fit nicely into HTML documents and are therefore portable to many systems, and can be used in applications to perform repetitive tasks or invoke other ActiveX controls that perform special functions.

ActiveX controls run in "container" applications, such as the IE Web browser application or a Visual Basic or Access database application. Once an ActiveX control is installed, it does not need to be installed again. As a matter of fact, an ActiveX control can be downloaded from a distant location via a URL link and run on a local machine over and over without having to be downloaded again. If a user accesses an HTML document with an ActiveX control, it will check whether the control is already on the user's computer. If it is not, it will be downloaded, the Web page will be displayed, and the ActiveX code will be loaded into memory and executed. While Java applets are also loaded in the same manner, they are not installed on a user's system. Once the user leaves the Web page, a Java applet will disappear from the system (although it might stay in the cache directory for a limited time). ActiveX components, however, can be installed temporarily or, more frequently, permanently. One of the most popular ActiveX components is the Shockwave player by Macromedia. Once installed, it will remain on the user's hard drive until you elect to remove it.

Just as programs installed on a Windows platform can be viewed through add/remove programs in the Control Panel, you can determine what ActiveX controls are installed on your computer through IE.To view, enabled, disable, or delete ActiveX controls that have been added to IE 7, you can click on the Tools menu, select Manage Add-ons, and then click the Enable or Disable Add-ons menu item. In doing so, you will see a dialog box, which lists the ActiveX controls loaded and used by IE, downloaded from the Internet, and ones that can run without permission.

In comparing ActiveX to Java, you will find a number of differences. One major difference is where each can run. Java works on virtually any OS, because the applets run through a virtual machine, which, as we mentioned, is essentially an emulator that processes the code separately from the OS.This allows Java to run on many platforms, including Windows, Linux, and Macintosh. ActiveX components are distributed as compiled binaries, meaning they will only work on the OS for which they were programmed. In practical terms, this means that they are only guaranteed to run under Microsoft Windows.

As with Java and JavaScript, ActiveX runs on the client side, thus many of the issues encountered will impact the user's machine and not the server. However, while ActiveX controls can look similar to Java applets from a user point of view, the security model is quite different. ActiveX relies on authentication certificates in its security implementation, which means that the security model relies on human judgment. By attaching digital certificates to the files, a user can be nearly 100-percent sure that an ActiveX control is coming from the entity that is stated on the certificate.To prevent digital forgery, a signing authority is used in conjunction with the Authenticode process to ensure that the person or company on the certificate is legitimate.

With this type of security, a user knows that the control is reasonably authentic, and not just someone claiming to be Adobe or IBM. He or she can also be relatively sure that it is not some modification of your code (unless your Web site was broken into and your private key was somehow compromised). While all possibilities of forgery can't be avoided, the combination is pretty effective; enough to inspire the same level of confidence a customer gets from buying "shrink wrapped" software from a store.This also acts as a mechanism for checking the integrity of the download, making sure that the transfer didn't get corrupted along the way.

IE will check the digital signatures to make sure they are valid, and then display the authentication certificate asking the user if he or she wants to install the ActiveX control. At this point, the user is presented with two choices: accept the program and let it have complete access to the user's PC, or reject it completely.

There are also unsigned ActiveX controls. Authors who create these have not bothered to include a digital signature verifying that they are who they say they are.The downside for a user accepting unsigned controls is that if the control does something bad to the user's computer, he or she will not know who was responsible. By not signing your code, your program is likely to be rejected by customers who assume that you are avoiding responsibility for some reason.

Since ActiveX relies on users to make correct decisions about which programs to accept and which to reject, it comes down to whether the users trust the person or company whose signature is on the authentication certificate. Do they know enough about you to make that decision? It really becomes dangerous for them when there is some flashy program they just have to see. It is human nature to think that if the last five ActiveX controls were all fine, then the sixth one will also be fine. Perhaps the biggest weakness of the ActiveX security model is that any control can do subtle actions on a computer, and the user would have no way of knowing. It would be very easy to get away with a control that silently transmitted confidential configuration information on a computer to a server on the Internet.These types of transgressions, while legally questionable, could be used by companies in the name of marketing research.

Technically, there have been no reported security holes in the ActiveX security implementation. In other words, no one has ever found a way to install an ActiveX control without first asking the user's permission. However, security holes can appear if you improperly create or implement an ActiveX control. Controls with security holes are called accidental Trojan horses.To this date, there have been many accidental Trojan horses detected that allow exploits by hackers.

The default setting for Microsoft IE is actually to completely reject any ActiveX controls that are unsigned.This means that if an ActiveX control is unsigned, it will not even ask the user if he or she wants to install it.This is a good default setting, because many people click on dialog boxes without reading them. If someone sent you an e-mail with an unsigned ActiveX control, Outlook Express will also ignore it by default.

[Previous] [Contents] [Next]

In this tutorial:

  1. Web Based Services Security
  2. Web Security
  3. Managing Access Control
  4. Handling Directory and Data Structures
  5. Eliminating Scripting Vulnerabilities
  6. Logging Activity
  7. Finding Rogue Web Servers
  8. Stopping Browser Exploits
  9. Web Spoofing
  10. Web Server Exploits
  11. SSL and HTTP/S
  12. HTTP/S
  13. Instant Messaging
  14. Text Messaging and Short Message Service (SMS)
  15. Web-based Vulnerabilities
  16. ActiveX
  17. Dangers Associated with Using ActiveX
  18. Protection at the Network Level
  19. JavaScript
  20. Programming Secure Scripts
  21. Understanding Code Signing
  22. Buffer Overflows
  23. Making Browsers and E-mail Clients More Secure
  24. Securing Web Browser Software
  25. CGI
  26. Resulting from Weak CGI Scripts
  27. FTP Security
  28. Secure Copy
  29. FTP Sharing and Vulnerabilities
  30. Directory Services and LDAP Security
  31. LDAP
  32. Securing LDAP