Anything to miss with ActiveX?

Discussion in 'other security issues & news' started by Jimbob1989, Mar 19, 2005.

Thread Status:
Not open for further replies.
  1. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Just before I changed over to FireFox, I was told that FireFox did not support ActiveX and I was told that the only sites that used ActiveX were Microsoft sites and Porn sites, however I have had no problems using either of the sites with FireFox :D

    What exactly is activeX used for and how come I haven't noticed any difference?

    Jimbob
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    You were definetly mis-informed. Just one of many examples....manyyyy sites have ActiveX component html code on their respective sites in order to display a Macromedia Shock wave file.

    ActiveX Controls (Internet Explorer - ActiveX Controls)
     
  3. True, which is exactly what makes disabing ActiveX in IE so problematic, you get that irriating error message.

    While you are technically correct that sites using shockwave require ActiveX if you are using IE, this is not true if you are not using IE since firefox for example can display shockwave fine without ActiveX as long as you have the right plugin.

    After all in the end, what the user wants to know is whether he will miss the lack of ActiveX functionality in firefox and for the example you raise, the answer is no.
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Couldn't agree more.

    This is no excuse....but I did overlook the part where Jimbob was specifically asking about Firefox. It's another fine example of me not needing to answer such technical questions while having first cup of coffee :( :doubt: :blink:

    My answers can then be stricken from the record since they concerned Internet Explorer only :cool:
     
  5. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    ActiveX controls are used when there is a requirement for extensive programmatic interaction with the user or the user's computer... interaction that requires greater control than is available via Javascript. The reason that you may not have noticed any difference is two-fold:
    1. not all of a site, say, microsoft.com requires an ActiveX control, rather only certain individual web pages within a domain (eg, the Windows Update portion of Microsoft's site); and

    2. programmers and publishers are aware that some people choose not to run a browser that supports ActiveX and so they often will implement their code in some backup-plan version that utilizes a more traditional NetScape-type "plug-in" approach or a Java applet or the like.
    Here are some examples of sites and utilities that utilize ActiveX controls:
    • Microsoft Windows Update (used for manual web visits to Windows Update, but I don't believe required for background Automatic Updates to work)
    • Microsoft Genuine Windows Validation Tool (increasingly used as a checkpoint prior to allowing you to download Microsoft add-ons)
    • Microsoft Office Update (for updating MS Office, of course)
    • Microsoft Platform SDK Update (for updating the Microsoft Software Development Kit)
    • Microsoft MSN Money Charting Tool (for more elaborate stock charts)
    • Microsoft Beta Code Download Control (for downloading non-public Beta code)
    • TrendMicro HouseCall (online virus scanning engine)
    • Symantec SecurityCheck (online security/virus scanning engine)
    • Sun Java Runtime Environment* (for running Java applets)
    • Macromedia Shockwave/Flash* (for displaying animated websites)
    • Apple Quicktime* (for displaying movies in a browser)
    • Apple iTunesDetector Class* (something to do with iTunes, do'h ;) )
    The ones marked with an asterisk are also implemented in alternative methods such as plug-ins, I believe. It's just that the ActiveX method is the most efficient vehicle for coding these types of web applications for users that have IE and ActiveX... but as I said earlier publishers like Sun, Macromedia, and Apple are well aware that many people use browsers that don't support ActiveX. The above is, of course, far from an exhaustive or complete list, but it should give you an idea of the types of things utilizing ActiveX. Primarily they are scanning utilities or browser enhancers of one sort or another.
     
  6. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    One addition to Alec's list, and there are probably significant other ones as well.

    If your bank offers online services, quite often you'll need ActiveX for that. I deal with one of the largest banks in Canada, and their "Easy-Web" won't accept anything except IE. So it's one of the places I do have to grit my teeth and use IE even if Firefox works fine elsewhere.
     
  7. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    In other coutries the situation is different. Most online banking in The Netherlands is secured by using one time passwords, using a smartcard with pincode and a calculator, or by using TAN-code lists (a physical lists with unique codes, that need to be entered to authenticate any transaction) , or by using sms-authentication in stead of the TAN-codes. Of course any connection is secured by SSL..
    In Anglo saxon coutries the situation is different and in most situations only user id - password authentication is used and security must be added by using ActiveX (strange this :)).
    A positive side effect of not using ActiveX in favor of Strong Authentication is that here phishing attacks related to online banking is none existent because of the security measures taken by implementing one time passwords and strong authentication.

    Firefox is fully functional for me, accept for WindowsUpdate. Also online virus and trojan scanners rely on ActiveX.

    In my opinion ActiveX is used on many occasions because of the ease of programming: Visual Basic is all that's need to create a custom control.

    The biggest threat to me is not only that ActiveX runs as a system like component, but that it is software that you get without knowing the purpose, the design, the level of testing and quality assurance that we require form all other kinds of software, but that we accept for silly security functions...
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Ok heres one simple tip. With it off you can't view a .SWF and get a blank page, just view the source. Right-click page, view source. Now CTRL F or just look with your eyes for .swf, copy the URL. Download it with a browser or download manager, and you can look at it any time then too :)
     
  9. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    But, to me, that's just it... ActiveX isn't anything overly mysterious, it's just another avenue for software distribution. I don't quite understand the hysteria over ActiveX when many people are more than willing to download vague sounding plug-ins and/or entire executables from unknown authors without even a second thought. It seems a bit of a double-standard to me. At least with ActiveX you have the code generally signed by a publisher, and at least a nominal amount of time was spent by a root certificate authority to verify the publisher and grant a code signing certificate. With most downloaded apps you generally have nothing but the look and feel of the website you are downloading from, and/or word-of-mouth, to guide you. Of course, most of the big name downloads are scrutinized by security professionals, but even then a file might be replaced by a trojan or virus infected version and probably 90+% of the population wouldn't know it until their AV caught it. By the way, the ActiveX code isn't going to run with heightened privileges, as far as I know it runs with the same privileges as the IE process itself which is running under the logged on user's privileges.
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    If you really miss ActiveX you can get an extension for firefox that allows you to run ActiveX on whitelisted sites
    The whitelist for sites is in a text file to deliberately make it harder to randomly add new sites (with no thought given)

    The extension was designed so that firefox could work with legacy sites and the suggestion in the doc I read was that it was more for intranets and legacy applications

    Would I use the extension in FF - definitely not

    For those sites that really need ActiveX I will run Avant (or maybe Netscape 8 now), for me at least having to switch browsers makes me more aware and at least a little more paranoid about what is going on

    NB: The point above about ppl running untrusted extensions is very valid, I suspect that at least some firefox users give less thought to adding an extension than to installing a "new" and possibly untrusted application
     
Thread Status:
Not open for further replies.