Microsoft's prior foray into mobile code development, ActiveX, continues to survive in spite all of this progress. There are numerous websites that make use of ActiveX controls for games and sophisticated web interfaces. Some malware creators also use it to help deliver their damaging payloads.
An image uploader ActiveX control developed by software vendor Aurigma is garnering some headlines because a newly discovered buffer overrun exploit. The vendor might not be a household name, but two of its clients are: MySpace and Facebook.
Aurigma, deserves commendation because they addressed the news of the vulnerability with a blog post. They acknowledged the bug, gave some detailed technical information on what versions were affected, and described what they have been doing to ensure that the control is free of vulnerabilities for the future.
It's a good case study of how a blog can give a company the kind of transparency that can't be delivered through just a press release. The US-CERT website also deserves honorable mention for linking to the blog post in its vulnerability bulletin.
The discovery of the threat has renewed calls for users to disable ActiveX on Internet Explorer. The US-CERT's page on securing web browsers writes:
One problem with using ActiveX in a web browser is that it greatly increases the attack surface, or “attackability,” of a system. Vulnerabilities in ActiveX objects may be exploited via Internet Explorer, even if the object was never designed to be used in a web browser.I find it both amazing and saddening that such threats are stirring up headlines to this day. The eWeek story cited via hyperlink reminded me of a special report, amusingly titled "Microsoft's inActiveX", that c|net's news.com ran several years ago. A quick search revealed that the series of articles is still available for reading. One of the articles in the series, published two weeks shy of ten years ago, talks about how ActiveX's security issues had been a serious problem even back then.
Another article in the series, an analysis of a reader poll on ActiveX's future, paints a picture of optimism that is painfully funny in retrospect. Quoting from the article:
When asked "Does ActiveX have a future as a Web development tool?" almost three-quarters of the respondents scoffed at the possibility of ActiveX living a useful life much longer. Microsoft (MSFT) itself has shied away recently from using the term ActiveX for its overall distributed computing strategy, shining its marketing spotlight instead on COM, its component object model.
Most readers, 72 percent, forebode a gloomy, at best, future for ActiveX, citing shoddy security and the technology's dependency on Windows. "Too slow" and "too complex" were other shortcomings on ActiveX's resume, respondents said.As we see from today's headlines, ActiveX is still used out there, in very large numbers.
