Is Active-X really so bad?

[Jackeline D]

In my house we like to download to Yahoo LAUNCH music video clips.
http://launch.yahoo.com/. I use IE because Firefox and Opera do
not work on sites like this.

Following some warnings about Active-X I went to IE > Tools >
Internet Options > Security > Custom level > and set the following:

(1) Download signed Active-X controls - PROMPT
(2) Download unsigned Active-X controls - PROMPT
(3) Initialize and script Active-X controls not safe - PROMPT
(4) Run Active-X controls and plug-ins - PROMPT
(5) Script Active-X contols marked safe for scripting - PROMPT

The result now is that Yahoo LAUNCH (and other web sites) are
almost unusable because some message pops up asking if I approve of
this or that to do with Active-X.

I would *never* accept a program via Active-X whether it is marked
as safe or not. So do I really need to switch off all these
Active-X options in order not be be exposed to some danger?

---

As a bit of background, I found this:
http://www.cs.princeton.edu/sip/java-vs-activex.html
"The main danger in ActiveX is that you will make the wrong
decision about whether to accept a program."

Is that the main danger? That's all? I can live with that!

But is that site incorrect in what it suggests? Another site says:
"some security experts say ActiveX does not deserve its bad
reputation".
http://www.newsfactor.com/story.xhtml?story_id=20390

So mayb eit is all overstated by some people?

Can you folks here please advise me on how to proceed. Should I
set (4) about to ACCEPT? Or instead should I use the "trusted
sites" feature in IE? Or both? Or something else?

Thanks!

 

[Lanwench [MVP - Exchange]]

Add the site(s) to your IE Trusted Sites - does that help?

 

[kulm_nd]

Have you added Yahoo to your TRUSTED zone? Beware of unknown sites if you
turn on ActiveX but you can have some Trusted sites to avoid having to ok
scripts and ActiveX.

 

[billh]

In my house we like to download to Yahoo LAUNCH music video clips.
http://launch.yahoo.com/. I use IE because Firefox and Opera do
not work on sites like this.

Following some warnings about Active-X I went to IE > Tools >
Internet Options > Security > Custom level > and set the following:

(1) Download signed Active-X controls - PROMPT
(2) Download unsigned Active-X controls - PROMPT
(3) Initialize and script Active-X controls not safe - PROMPT
(4) Run Active-X controls and plug-ins - PROMPT
(5) Script Active-X contols marked safe for scripting - PROMPT

The result now is that Yahoo LAUNCH (and other web sites) are
almost unusable because some message pops up asking if I approve of
this or that to do with Active-X.

I would *never* accept a program via Active-X whether it is marked
as safe or not. So do I really need to switch off all these
Active-X options in order not be be exposed to some danger?

---

As a bit of background, I found this:
http://www.cs.princeton.edu/sip/java-vs-activex.html
"The main danger in ActiveX is that you will make the wrong
decision about whether to accept a program."

Is that the main danger? That's all? I can live with that!

But is that site incorrect in what it suggests? Another site says:
"some security experts say ActiveX does not deserve its bad
reputation".
http://www.newsfactor.com/story.xhtml?story_id=20390

So mayb eit is all overstated by some people?

Can you folks here please advise me on how to proceed. Should I
set (4) about to ACCEPT? Or instead should I use the "trusted
sites" feature in IE? Or both? Or something else?

Thanks!

Short answer is that if you only go to reputable sites you aren't likely to
have a problem. I have browsed with ActiveX on for years using MS Internet
Explorer and haven't had trouble. However, I stay away from seedy sites,
cracker sites etc. Unfortunately it only takes one rogue site and you'll
have a problem. I regularly run Adaware6, Spybot and a anti-virus program.
The only thing I regularly find are some dull tracking cookies.
Billh

 

[Gary]

Install Spyware Blaster from here
http://www.javacoolsoftware.com/spywareblaster.html and use the Immunize
feature that comes with Spybot and that will keep tracking cookies and also
from any site from hijacking your browser.

 

[Peter Rossiter]

Short answer is that if you only go to reputable sites you
aren't likely to have a problem. I have browsed with ActiveX
on for years using MS Internet Explorer and haven't had
trouble. However, I stay away from seedy sites, cracker sites
etc. Unfortunately it only takes one rogue site and you'll
have a problem. I regularly run Adaware6, Spybot and a
anti-virus program. The only thing I regularly find are some
dull tracking cookies. Billh

But what exactly is it that might happen to their PC if they go to
a rogue site?

 

[Leythos]

But what exactly is it that might happen to their PC if they go to
a rogue site?

A PC that is not properly patched, even without active-x controls, will
run the risk of being compromised by back-doors, droppers, etc...

If you visit new sites with Internet Security set to "Highest" you stand
a much better chance of NOT being compromised.

I've seen sites open shell apps that can actually run code at the users
privileges level on their system, you should always run as a User level
account on a Windows box when not performing administration functions.

 

[Mailman]

But what exactly is it that
might happen to their PC if they go to a rogue site?

An ActiveX control is a bit like a Java applet, but it is a real
(executable) program. That means that it runs with the exact privileges of
whatever user is logged-in, but without the protection offered by the Java
sand-box (which is pretty good, even if not perfect).

I leave the rest to your imagination.

 

[Peter Rossiter]

An ActiveX control is a bit like a Java applet, but it is a
real (executable) program. That means that it runs with the
exact privileges of whatever user is logged-in, but without
the protection offered by the Java sand-box (which is pretty
good, even if not perfect).

I leave the rest to your imagination.
--

Can such a program run automatically or does the user have to click
something to allow it to run?

 

[Rob Schneider]

Runs automatically if that's how you've setup IE. YOu can ask IE to ask
your permsision to run ActiveX programs when it detects them, but it
doesn't explain to you what it will do or anything.

Hope this is useful to you. Let us know.

rms