ActiveX bugs pose threat to Vista, Microsoft reports

Company's security work pays off, but third-party browser add-ons still a problem

Stathakopoulos defended ActiveX, but acknowledged that it was impossible for Microsoft to police its technology. "You have to enable [add-on] development for the browser," he said. "The question is, how do you extend the browser and at the same time provide guidance to developers on how to write secure [ActiveX controls]?" he said.

The problem is especially evident in China, whose users accounted for 47 percent of all victims of browser-based attacks during the first half of 2008, according to Microsoft. Stathakopoulos blamed Chinese developers for contributing to the ActiveX issue. "I think it's a combination of developers who don't have good security discipline, and [the Chinese market] being a very large target," he said, explaining why Microsoft thought China was particularly hit hard by browser attacks.

US users accounted for 23 percent of all victims of browser-based exploits.

Microsoft is doing more to help developers write more secure code, Stathakopoulos said. In September, the company unveiled a for-fee program, dubbed "SDL Pro Network," where service provider partners consult with businesses to help them apply Microsoft's Security Development Lifecycle practices. Microsoft will also release a pair of free-of-charge tools distilled from its SDL work this month.

He also argued that the company's work to lock down ActiveX in IE was paying off. IE7, for example, blocks many ActiveX controls by default, and requires the user to explicitly agree to their operation. The still-in-beta IE8, meanwhile, has introduced additional ActiveX security features, including the ability to restrict controls to specific domains -- an enterprise intranet, for example.

Symantec's report earlier this year, however, disputed the idea that Microsoft's efforts had done much good. IE7, said Symantec in April, had not had a significant impact on the number of ActiveX vulnerabilities.

"We're going to try to help third-party developers write more secure code," said Stathakopoulos. "But it will be a long, drawn-out problem."

Microsoft's most recent security report can be downloaded from the company's site.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Windows Vistabugsactive x

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?