Is ActiveX safe?

We are asked by many school and government entities if we include ActiveX controls. We do not.

Here is why:
We highly value our client's security and project data. We want to keep that intact without the fear of data being exploited. We use cloud-based, role-based security for our clients and have had zero exploitations, hacks, or nefarious abuses of our client servers or data in our 20+ year history.

Let's talk about ActiveX and why Projectmates chooses not to employ it. ActiveX is a software framework incorporating earlier technologies by Microsoft. It was created for the network and World Wide Web.

The Microsoft Team recently stated in a blog post why ActiveX had existed:

  • ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer.

Moreover, with consistent Microsoft Edge updates, here's why it is not needed anymore:

  • The need for ActiveX controls has been significantly reduced by HTML5-era capabilities, which also produces interoperable code across browsers. Microsoft Edge will support native PDF rendering and Adobe Flash as built-in features rather than external add-ons. We recently demonstrated our early work on a modern, HTML/JavaScript-based extension model to provide extensibility beyond what is available with HTML5. We will enable this new design after our initial release of Microsoft Edge this summer, and we look forward to sharing more details soon.

Introduced in 1996, ActiveX was originally controversial because even though it could support more programming languages compared to JavaBeans, critics were quick to point out the security issues.

One flaw is trust. Because the first line of defense is based on you trusting the author, the security model that ActiveX relied on was identifying a trusted component developer who paid for a subscription and promised not to develop malware.

In 2008, there was a vulnerability that was exploited with ActiveX controls that posed a serious risk because it was digitally signed by Microsoft. The danger to using signature authentication is that any computer that was pre-configured to trust an ActiveX control signed by Microsoft had the exploitation automatically run when encountered on web pages.

As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated SQL injection attacks," Hittel wrote on a Symantec forum. "In the past, we have seen government, commercial, and hobby sites fall victim to these SQL injection attacks and subsequently begin serving exploits to each of their visitors."

Once a 'trusted' component was installed, it is also given full permissions in the browser, meaning that any bug in the code (put there maliciously or not) was a potential security issue.

ActiveX's great claim to fame is the flexibility it offered when predominantly used for creating add-ons for web browsers. However, it is also one of the greatest flaws that hackers have used to exploit it.

Another serious potential threat is that the code is executed 100% native on client system. Once installed, it can perform literally any action on the client's system.

Microsoft has stated that ActiveX will no longer be supported by Microsoft Edge because they have significantly reduced HTML5-era capabilities going forward.

Microsoft has also stated that by no longer supporting ActiveX, it will make the browser more secure, and shifting HTML/JavaScript-based extensions will limit the access that extensions have and the main avenues of exploitation hackers had used to gain unhindered access to a user's browser or operating system.

We haven't set a marker in the future. But ending support is definitely the direction we're moving. We want to provide a transition time for our customers to get off these old technologies, we don't know exactly how long that will take," said Charles Morris, Principal Program Manager Lead at Microsoft Edge.

In addition to Microsoft no longer supporting ActiveX, South Korea announced that in 2017 they have identified the need to get rid of obsolete technology and are removing ActiveX from 90 percent of the countries popular websites. President Moon Jae has pledged to abolish ActiveX downloads on all government websites in order to catch up with global cybersecurity standards.

There is a better way to protect your data without taking the chance and risk exposing your information. ActiveX worked well initially for browser add-ons, however, the ability for abuse and not being supported are the main reasons Projectmates chooses not to use them.

Using role based security on a cloud based server guarantees total control and protection of your data.

Related Articles

Ready to see how Projectmates can help you?

Request additional information or arrange a
personalized demo to get a first-hand look today.