ACTIVEX AND SECURITY

Recently, there has been a rash of problems created by programs that Hijack Your PC. The programs can come from sites you visit and yes, sites can do this to your PC, using ActiveX. For related information and removal methods, please see SpyWare and spywareinfo.com.

"ActiveX is a danger. It's dangerous because of the basic nature of ActiveX, not because of a simple bug here and there. ActiveX is the same thing as OLE. Microsoft has repeatedly stated that ActiveX is OLE renamed. ActiveX/OLE is simply a Microsoft Windows software component. What does that mean? Well, it means an ActiveX control is essentially a Windows program that can be distributed from a web page. These controls can do literally anything a Windows program can do. That means you could write an ActiveX control to erase a hard drive. A control containing a virus or Trojan can be written, distributed, and activated from a web page, and the viewer of the control might never know. A control could even scan your drive for tax records or documents the control's author was interested in, and e-mail them off to some other person. All this can be done in a control that pretends to be something interesting, like a video game."1

Why is activex so dangerous that you have to increase the security for it? When your browser runs an activex control, it is running an executable program. It's no different from double clicking an exe file on your hard drive. Would you run just any random file down loaded off a web site without knowing what it is and what it does?

You can test your browser's ActiveX settings by going to my GeoCities site that tests the use of Server Side Include (SSI) code on GeoCities. If your browser's ActiveX settings are Enable you will see a white box with a blue line around it about 1/2 way down the my GeoCities page. If you don't see this box, then your browser's ActiveX setting are very secure, i.e. probably all set to Disable.

The key to preventing ActiveX control of your PC is to do the following.

  1. Use TOOLS > INTERNET OPTIONS > SECURITY to get to this window for the Internet. You can do the same for other security settings, i.e. Local Intranet, Trusted Sites, and Restricted Sites, but increase the security by setting all AciveX to Disable or Prompt.

  2. Click on the Custom Level.

  3. Recommended settings are:


1 - http://www.halcyon.com/mclain/ActiveX/Exploder/FAQ.htm