Be prepared: ActiveX attacks will persist

Flaws in the technology, poor development practice, and a large user base add up to big risks

A recent string of high-profile ActiveX vulnerabilities caused theUS Computer Emergency Readiness Team (US-CERT) to advise users to disable the ubiquitous Microsoft browser plug-in technology altogether. The vectors for these recent exploits include a third-party image uploading tool used on both the Facebook and MySpace social networking sites, and flaws found in Yahoo's Music Jukebox, Real Networks' RealPlayer, and Apple's QuickTime.

"We're seeing an increase in exploits aimed at these types of tools that are commonly used with a variety of technologies including social networking sites and multimedia players. As online crime becomes more prominent, malicious actors are taking advantage of these types of vulnerabilities to accomplish their objectives," said a spokesman at the US Department of Homeland Security, which oversees the US-CERT.

Security experts contend that there's no end in sight for attacks on the plug-in architecture.

One reason is that there are plenty of security holes in ActiveX to be exploited. But another reason is not Microsoft's fault, they say: any technology used so widely will attract hacker attacks. "There's simply a lot of software out there using ActiveX that's either preloaded or embedded that users don't even realize is there, and that's why it was necessary to make the advisory," the US-CERT spokesman said.

Although features added in Microsoft's newest Web browser, Internet Explorer 7, may help reduce the problem down the road and push attackers to move on to new targets, ActiveX will remain among the leading programs assaulted by opportunistic cyber-criminals, at least for the foreseeable future, several researchers say. After all, they say, Internet Explorer's status as the most used Web browser makes it an attractive target, just as the Windows operating system has been subject to constant attack for the past decade due to its huge market share. "When hackers spend time trying to find vulnerabilities to exploit, they want to make sure that they can affect the highest number of people," said Will Dormann, a vulnerability analyst at the Carnegie Mellon Software Engineering Institute CERT.

A juicy target that's easier to exploit

When you ask researchers which ActiveX exploits make them curl their toes in reaction, the answers don't tend to focus on specific sets of attacks but instead on the sheer volume and variety of the threats, and the vulnerabilities that allow for them.

Some of the most prominent examples of ActiveX exploits include malware attacks aimed at Microsoft's Data Access Component (MDAC) software, which was pummeled for years by a broad range of attacks, and problems with the HTML Help ActiveX control module in Internet Explorer that opened it to numerous types of attacks, most notably the Phel Trojan virus.

These well-known examples are just the tip of the iceberg for the vulnerabilities that ActiveX exposes users to. One reason is that as Microsoft fixes vulnerabilities in Windows, hackers are moving to easier targets, such as ActiveX, said Randy Abrams, director of technical education at ESET, a maker of anti-malware software. "Applications and plug-ins like ActiveX are the new low-hanging fruit so that's what's being attacked," he said.

Abrams believes that ActiveX introduces unnecessary risk in many cases, because it is typically used for nonessential purposes. "The truth is that the ActiveX problem is also based on an irrational love of fashion; it's all about adding functionality to sites and applications to make them look cool, but in actuality it's completely unnecessary," he said. "If it wasn't for this need to make things look fashionable there would be much less risk." But Abrams doesn't expect developers to throttle back ActiveX use despite its security risks: "The cat is out of the bag, and sites now compete to look visually impressive and offer better functionality."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

InfoWorld staff

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?