What, exactly, is ActiveX?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I've been getting a lot of messages lately saying "page cannot be displayed
properly"....something like that. Telling me I should download ActiveX.

When I click on 'what is this?'...it says it could be dangerous to
download...blah, blah, blah....I'm sure you know what I'm talking about.

What is ActiveX? When should I and when should I not download?

Thanks!
 
Think of it like an Active Executable. Normally, a web page just shows
you content (Weather, Plane Schedules..) An ActiveX component is a
little program that downloads to your PC in C:\Windows\Downloaded
Program Files. Once installed that Web site can now "Do Something",
like scan your PC for Malware or Viruses. Prior to SP2, web sites
could do "Drive-By Installs" putting ActiveX onto your PC without
the user's permission. That's why IE now has the Information Bar to be
able to alert a user that a web site requires ActiveX and you must give
the site permission to download/install the component.
 
ActiveX is an outgrowth of two other Microsoft technologies called OLE
(Object Linking and Embedding) and COM (Component Object Model).
If you trust the website, it should be ok, however, ActiveX is not known for
its great security, many virus, spyware, adware can be execute via a activex,
but active access is also necessary for many web pages to run correctly.

Go to tools>internet options and select the security tab. Then select
custom, here you can configure how your browser deals with activeX, ie sign,
unsigned, etc.
 
In A had this to say:

My reply is at the bottom of your sent message:
I've been getting a lot of messages lately saying "page cannot be
displayed properly"....something like that. Telling me I should
download ActiveX.

When I click on 'what is this?'...it says it could be dangerous to
download...blah, blah, blah....I'm sure you know what I'm talking
about.

What is ActiveX? When should I and when should I not download?

Thanks!
Click to expand...

http://www.google.com/search?hl=en&q=define:activex

Depending on where you are you probably don't want to download the ActiveX
content. Basically, when I'm in that mode, I wait and see if a) it's a site
I trust and b) it's a control needed for the functionality that I desire to
be accomplished on that site. If the answer isn't yes to both I block it.

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/
http://kgiii.info/

"We approached the case, you remember, with an absolutely blank mind,
which is always an advantage. We had formed no theories. We were simply
there to observe and to draw inferences from our observations." -
Sherlock Holmes
 
many thanks to you all...therefore, it would be safe to download ActiveX from
sites such as SBC Yahoo Mail, Verizon Wireless....well-known sites?

:)
 
On Wed, 18 Jan 2006 16:46:02 -0800, ERICCASEY
ActiveX is an outgrowth of two other Microsoft technologies called OLE
(Object Linking and Embedding) and COM (Component Object Model).
If you trust the website, it should be ok
Click to expand...

You may "trust" a site to "show you data" but not to "drop and run
programs on my computer". It's like you may trust someone to speak to
them on the phone, but not to let them into your house.

When you "look at a web site", you think you are taking the small risk
of "viewing data". ActiveX is one of several technologies that
escalate this risk to "allow site to program my computer", others
being the Internet JavaScript and Java standards, and Microsoft's
Visual Basic Script as IE-specific risk.

Java has the concept of a "sandbox", so that ostensibly, the dropped
program is limited in what it can do. However, there are a constant
stream of defects found that allow Java to act outside the sandbox, so
if you have Java installed, you are obliged to keep it updated. Sun's
Java doesn't remove old exploitable engines when new ones are
installed, so you have to manually rip those out via Add/Remove
Programs; today's version is 1.5.006b.

Scripts are supposed to have some limitations on what they can do,
too, but I don't store much trust in this.

ActiveX has no limit on what it can do at all. If you create an
ActiveX control (which is basically executable code that is designed
to be automated from one system to another), it's up to you to mark it
as not "safe for scripting" if it has unsafe possibilities. Needless
to say, few ActiveX vendors bother to do this, and no attacker
dropping a hostile ActiveX is going to do this - so "limits" such as
"don't allow controls to do if not 'safe for scripting' " are useless.

SP2 brings some belated clue to the risks of ActiveX, but you still
have to allow or block an ActiveX control without having the faintest
notion of what it would actually do if run. No "sandbox" there.

It's as the tagline says...


------------ ----- --- -- - - - -
Click to expand...
Drugs are usually safe. Inject? (Y/n)
 
Thanks so much....I guess I don't know computers as much as I thought. I've
decided, because of that, I won't download any AciveX files.

My computer has been running fine without the files, so I'll leave it at
that.

have a great weekend!
 
On Fri, 20 Jan 2006 04:47:04 -0800, "Annie"
many thanks to you all...therefore, it would be safe to download ActiveX from
sites such as SBC Yahoo Mail, Verizon Wireless....well-known sites?
Click to expand...

Maybe. Depends on...
- whether you really are where you think you are ( [*1] )
- what that site's motives are
- what that site's scripting quality is like (bugs can bite)
- what other sites tunnel through the site (banner ads etc.)

Personally, it is very, very rare that I would want a web site to
program my PC - so rare, that I enter such sites into IE's Trusted
Zone, and block most "active content" everywhere else.

[*1] Consider:
- HOSTS re-direction
- active re-direction via LSP hooks or other malware techniques
- misleading URL syntax
- misleading text that overlies the actual link (an HTML risk)


---------- ----- ---- --- -- - - - -
Click to expand...
Don't pay malware vendors - boycott Sony
 
In cquirke (MVP Windows shell/user) had this to say:

My reply is at the bottom of your sent message:
On Fri, 20 Jan 2006 04:47:04 -0800, "Annie"
many thanks to you all...therefore, it would be safe to download
ActiveX from sites such as SBC Yahoo Mail, Verizon
Wireless....well-known sites?
Click to expand...

Maybe. Depends on...
- whether you really are where you think you are ( [*1] )
- what that site's motives are
- what that site's scripting quality is like (bugs can bite)
- what other sites tunnel through the site (banner ads etc.)

Personally, it is very, very rare that I would want a web site to
program my PC - so rare, that I enter such sites into IE's Trusted
Zone, and block most "active content" everywhere else.

[*1] Consider:
- HOSTS re-direction
- active re-direction via LSP hooks or other malware techniques
- misleading URL syntax
- misleading text that overlies the actual link (an HTML risk)


---------- ----- ---- --- -- - - - -
Click to expand...
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -
Click to expand...
Click to expand...

Absolutely, I believe strongly in minimal required permissions. When you
allow an unknown element to alter the code on your system and run at the
same level of permissions that your account has then you are engaging in
risky behavior. Decide what you want to do, know the risks you take, weigh
them both carefully, and then make your choice based on the ends justifying
both the risk and the gain. Education and awareness, bar none, beat any
application available.

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/
http://kgiii.info/

"We approached the case, you remember, with an absolutely blank mind,
which is always an advantage. We had formed no theories. We were simply
there to observe and to draw inferences from our observations." -
Sherlock Holmes
 
Back
Top