Security Risks of ActiveX

Where does the major security risk lie in the use of ActiveX? Is it the possibility of downloading an unsafe/malicious ActiveX Control? Or is it the chance of an existing add-on being exploited?

I ask because I am considering the use of ActiveX Filtering in IE9, but wonder if it is worth the trouble? I am bound to cop complaints from my family members if I force them to start choosing which websites can run ActiveX (and they will probably just allow everything anyway ). The downloading of unsigned ActiveX Controls is already disabled and everyone operates as a standard user under a software restriction policy.

With my existing setup can I assume no unsafe add-ons can be downloaded and run, therefore the only risk lies in exploitation of already installed add-ons?

 

To my understanding, the main problem with ActiveX implementation is that after it is allowed, it can run remote code on your computer.

I haven't seen any useful applications for ActiveX since Windows XP's update site. Maybe some antivirus companies still use it for online scanning, but really, you can pretty much block all ActiveX. Or does your family have some specific use for it?

 

Don't turn on Active X filtering for families. Even if you try and teach them how to use it, they will still forget. It's a very bad idea that will simply result in headaches for you come later when they complain that youtube/etc isn't displaying their flash videos.

There's just as much chance of installing a malicious activex control as there is a firefox addon. Both offer popups and both offer strict warnings on unofficial sources. You'd have to try pretty hard to install one. You also have the advantage of malware domain blocking in browsers which will block sources of malicious files/addons/etc.

In summary, I wouldn't worry about it.

 

Thank you both for your input. As often happens around here we get two completely opposite recommendations, but I still appreciate them both

Providing a family with internet access does mean balancing security with functionality and unfortunately they can't be relied upon to always make the correct decisions when offered choices. This is why I try to remove as many security related decisions from them as possible by relying on OS hardening measures rather than running multiple software solutions.

We've survived many years without ActiveX filtering so I'm probably inclined to just keep things as they are, unless someone has a horror story to tell!

 

Good practice. I install EMET on all machines that come through me and add internet facing applications such as the browser and PDF reader.

I see you have EMET in your signature so you've probably already done it, but if not, I'd definitely install EMET on their machine(s) and add iexplore.exe (Internet Explorer's executable) and whatever PDF reader you've installed.

 

I've only recently added EMET but so far so good, nothing seems to have been broken. I added all the programs listed at http://www.rationallyparanoid.com/articles/microsoft-emet-2.html plus javaw and javaws. Have heard that java updates don't always work when EMET'ed, so am waiting for an update to test it.

I would never have heard of things like SRP, EMET etc. without Wilders, you guys (and gals) have been a goldmine of information!

 

Java updates don't work if you have DEP Always On or Maximum Security Settings. Application Opt Out works fine.

 

Thanks for the info J L I do have DEP at opt-out so should be good to go!

 

I haven't used IE in years, so forgive my question: Since when is ActiveX needed to view Youtube videos?

But as a Firefox user you can simply follow the rule to install addons only from AMO, and you're safe. ActiveX, on the other hand, can be anywhere - the user is much more tempted to allow them.

 

Filtering Active X does jsut that, stops Active X controls from loading, preventing flash loading on youtube/etc, hence the bad idea.

You can practice the exact same approach with IE. http://www.ieaddons.com

Err, firefox addons "can be anywhere" too. How exactly is the user tempted to install an unofficial addon/x control considering all the warnings that show?

 

I'd rather say it's a bad idea that an ActiveX control is needed at all just to view flash videos.

Is anybody practising that?

Because ActiveX controls are often embedded in the HTML code of websites as active content used for animations, obviously flash videos (see above) etc. FF addons don't work that way. They are not needed to make a website "work".

 

You make the assumption that no one would practice this yet also make the assumption firefox users would practice going to their addon site? Riiight.

Since when were Active X controls needed to "make a website work"? They can work fine without them. The only time I've needed to unblock Active X was for flash content. If you're talking about flash in specific, that can hold true for any browser.