Tuesday, January 22, 2008

ActiveX


In a recent Tutor Tip (Is Your Internet Connection Secure?), I recommended that you browse to Symantec’s Security page and check your system for leaks. One of the requirements for the tests to work is having something called ActiveX running in your browser. This elicited several requests for information about ActiveX.

What is ActiveX?
Developed by Microsoft Corporation, ActiveX is a technology used to add interactive controls to Web pages. These controls can be anything from a single push-button to a complete spreadsheet. ActiveX controls only work in certain browsers. Of course, Microsoft's latest release of its own Web browser, Internet Explorer, recognizes ActiveX controls. Netscape's browser does not recognize these controls.

ActiveX is (another) Microsoft strategy for market dominance. Like a lot of Microsoft-centric software, ActiveX is bloated, awkward to use, slow, and has a tendency to make the experience of browsing the Web unpleasant. When encountering some ActiveX controls, browsers often lock up, slow down, freeze, and crash. More seriously, there are security risks inherent in the ActiveX model. ActiveX security rests on the "Authenticode" system which is a scheme for identifying the authors of ActiveX controls. Security is therefore based on trust.

ActiveX controls are only as safe as the company that created them. If a control has a digital signature, it means that the control has not been tampered with and is guaranteed to be exactly the same as when the software publisher created it. The ActiveX controls used by reputable sites are digitally signed by that company. When you see the Security Warning dialog box, check for the statement "Publisher authenticity verified by VeriSign." This statement guarantees that the control has not been tampered with since being signed by the publisher.

How to enable ActiveX in Internet Explorer
The default browser settings in Internet Explorer 5.0 or higher will allow ActiveX controls to download and run. A Medium Security Level allows ActiveX controls to download and run.

1. From the browser menu, click Tools > Internet Options
2. Click on the Security tab
3. Select the globe icon representing the Internet Zone
4. Click Custom Level
5. Scroll down to the ActiveX controls and plug-ins section
6. Under Download signed ActiveX controls select Prompt
7. Under Run ActiveX controls and plug-ins select Enable
8. Under Script ActiveX controls marked safe for scripting select Enable
9. Click OK to close the Security Settings window
10. Click OK to close the Internet Options window


No comments: