ActiveX Controls - Yes or No?
 

Had a few reasons to wonder if ActiveX is a good thing or a bad thing. There are some warnings from MS about this but then MS don't always have a lot to shout about these days.............

Anyway, good or bad please.

It depends.

Sounds bad, huh? And yes, from a developer point of view it smells pretty bad. I don't think Microsoft thought too hard about things when they designed it, and it's often claimed that it was a quick and dirty hack to compete with Java and Netscape at a time when Microsoft were losing the browser war.

But the key point there is the caveat if your security settings are set low enough. An OCX can do pretty much anything that a conventional application can do - if the user allows it. By default ActiveX is limited (although it has a history of security flaws that break through some of the limitations) but with XP/SP2 it's fairly well locked down unless you decide otherwise. You can give it greater access if you must, and that offers some scary possibilities - including, ultimately, the chance for a webpage to format your hard disk - but is that really any different from logging on with administrator access (as most XP users will) and double-clicking an application that you've just downloaded (Kazaa, for example?). By double-clicking you've just given the application permission to do what the hell it likes to your system.

Me? I turn it off completely. If a website requires me to use ActiveX, i'll go elsewhere :)

Ok, as a bit of a novice in all this, what do I have to do to 'disable' it please?

Cheers,
mcdhu

In internet explorer, do Tools -> Internet Options, then pick Security, Custom Level and set anything related to ActiveX to disable (off) or prompt (you get asked before anything runs).

If you're not using Internet Explorer, you don't have to worry :)

But there are still many people running earlier versions of XP as well as 98, ME and 2000.

The big difference between ActiveX formatting your hard drive and you downloading a program that does it is that with one the only action that is required of you is to open the webpage. The other at least gives your anti-virus program a chance to catch it. Either way I too avoid webpages with ActiveX, except for the Windows Update Page.

goates

Has there ever been a level of Windows with an ActiveX exploit so severe that it allowed an arbitrary operating system command (e.g. format c:) to be executed on an unmodified, unpatched system?

It's not just an ActiveX thing. Java can kick off an arbitrary process (Runtime.exec() ) which could also format your disk if it was given permission to do so. Ultimately any environment will allow bad things to happen if the user says they can. I guess the difference is that it's much harder for the user to change Java permissions than ActiveX permissions, ActiveX has traditionally has more holes and the Windows 'everone's an administrator' way makes it much easier for an ActiveX exploit to do things it shouldn't. A standard Unix user can't format the disk, even if the webpage they're looking at issues the command to do so.

True, you can do similar things with Java but, as you said, ActiveX has a terrible security track record. The formatting hard drive point is a very extreme example. Hackers have found it relatively easy to use security holes to install all kinds of junk on to Windows PCs. Until the recent XP patches, IE was quite happy to just install a plugin without notifying the user under the default security settings.

I still don't really understand why you need to give a web browser the ability to install software or format a hard drive. Sure it can be convenient, but downloading and installing plugins manually doesn't take much time at all. And you only need to do it once when you install the web browser.

Microsoft has had some good ideas. They just have trouble with implementing them.

You don't. My memory is a bit vague, but ISTR that when it needed something to fight Java with Microsoft added some internet functionality to the fairly awful OLE and morphed it into ActiveX. OLE had a reason to be able to access the operating system (it was used by VisualBasic) but ActiveX inherited it - and so ActiveX essentially is a Windows program run from a webpage, it can do anything a Windows program can do.

The real problem with ActiveX security is that there pretty much isn't any ActiveX security. It wasn't really necessary when it was OLE. There are two things you can do about that - one is to impose restrictions on what ActiveX can do (i.e. by turning it off) and the other is to sign ActiveX controls so you know they're trusted. Unfortunately code signing doesn't work too well - both because Windows can be told to autoexecute signed ActiveX controls regardless of who signed them, and also because just about anybody can get a certificate in any name they pick (for example, someone was recently issued a certificate named as Microsoft Corp.). So the best thing to do is turn it off.

Incidentally, I found one example of a webpage that included a signed ActiveX control that would would autoexecute and shutdown Win95, so you can do some annoying things with it.

There is an improvement now that I have switched them off! But.........now McAfee viruscan doesn't work on the outbound mails.

Since then I have involuntary shutdowns...........re-boots one after the other. Tried system restore when it did 'hold' but while away from the machine it froze.

A msg comes on the screen often! "The system has recovered from a serious error."

The log shows the following:

C\DOCUME~1\DONDAI~1\LOCALS~1\Temp\WER0bbb.dir00\Mini031905-15.dmp
C\DOCUME~1\DONDAI~1\LOCALS~1\Temp\WER0bbb.dir00\sysdata.xml

Anyone help please??

Pop- this came from Google on sysdata.xml

HIH

Thanks M.

It seemed to work but it all went pear shaped again. I have grave doubts about suddenly changing the status quo. I somehow think there might be a driver problem. I also got 3 blue deaths and used safe mode which enabled me to go to a point this morning where system restore took me. Straight back in!!!!!! Glory be.

Just about to go walkies for new updates of software. Something I reckon must be done now and again!

PPP

After saying the above I had over two hours of booting and re-booting. All initiated on its own. I also had three or four blue screens. I did system restore a few times, once successfully, but mainly just sudden shut-downs.

I tried safe mode and even had shut downs then!

I tried removing software I had installed over the past week and followed the link BOAC supplied and did everything (I think) it suggested because of the "Serious Error". Still it shut down on its own.

Finally, I went to bed thoroughly fed-up.

I booted this morning and after a fairly lengthy start-up it went first go. I had a "Serious Error" again, but closed that, and everything appears to working Ok - so far - fingers crossed - an' all that.

What caused it? Was it shutting down ActiveX, which is now re-instated by system restore? Any suggestions, because I honestly believe that fundamentally the machine is fine.

What is this Serious Error? The same log as before, in my post above, still appeared even though I have deleted the whole of the "minidump" folder. But I can't find the other apparent culprit "sysdata.xml"

Frustrated of Surrey!

Thanks S2.

I am scared to shut it down at the moment. It is still going and ACTUALLY faster than it did before! Maybe that suggests corrupt software - which I have removed.

But people have told me of this menace of "Serious Error". I mean, if the machine "recovered" why does it cause so many problems?

Disabling ActiveX shouldn't have anything to do with it.

Have you seen http://support.microsoft.com/default...;EN-US;q317277

The link to MS is useful if you haven't loaded SP1 apparently. I have and it didn't 'catch' it.

However, all seems to be well after I emtied the minidump folder/files in Windows on a bit of advice. It cleared the problem right away. MS do refer to it in the link too.

Anyway, all is well but it was a "serious" pain.