I vaguely remember way back when being told that Active-X could be dangerous because they could make your computer run programs you didn’t realise. Is that still a problem nowadays? The articles I found on it date back to the '90s, so I don’t know if it’s a current concern. Seems like most sites use Java anyway, but my pre-teen daughter has just started using MSN Messenger to talk to her friends and they like to play little Active-X games through Messenger. I told her not to play them, because I don’t want her accidentally downloading something harmful, but I’m wondering if it’s actually something I need to be concerned about, or is it probably OK?
A couple of hours ago, windows update came up with a few updates for me.
The information for one of the updates had this link.
http://www.microsoft.com/technet/security/bulletin/MS09-046.mspx
“This security update resolves a privately reported vulnerability in the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
So it looks like there are still the regular drip, drip, drip of vulnerabilities for ActiveX still being patched.
I’m not good enough with the details to know exactly what that flaw did. But there’s this patch, and I’m pretty sure I remember other windows update patches this year that have also mentioned ActiveX.
And it’s not just ActiveX that you should be worried about. Flash seems to be targeted more and more often recently, and it’s pretty common for people to not have the most up to date Flash player installed. So it might be a good idea to check that too.
Thanks, I will update our Flash Player too.
No, by default XP SP2 IE6, IE7, and IE8 are not set to run unsigned code and always prompt for installation. Its as safe as anything you run on your machine, just dont run suspicious applications from suspicious sources.
To be fair thats true for a lot of software. Windows, OSX, Linux, etc.
While you are at it, update your Java and Adobe Reader, older versions are also targets of spyware.
Yes, do this. Flash is a security black hole.
I also turn off javascript in acrobat reader. Turns out most of the security problems stem from that and I have yet to receive a pdf that requires it to be on.
Active X can be bad, if the control doesn’t come from a trusted source. I personally wouldn’t install any Active X controls that are not signed by a reputable company. Active X controls are inherently much riskier than technologies such as Java or Flash. Programs using those technologies can only be run on your computer with the help of some sort of player or interpreter program. This program acts as a “sandbox”, thus making it more difficult for your Java or Flash applets to do bad things to your system. Active X controls, on the other hand, contain actual machine instructions that can be directly executed by your CPU. This makes them significantly more powerful.
Actually, run either Secunia or FileHippo Update checker. Or both! They basically go thru your computer, finding all the major programs that you have installed (Java, Flash, Adobe, etc.) and checking the version you have installed vs. the most current version available online. Then they notify you if any of your installed programs are an older, more vulnerable version. And usually with an easy link to download the latest version.
Running these every month of so will really help keeping your machine up-to-date.
This sounds like good advice. However, can you please, for a computer pinhead, explain why upgrading these programs makes you safer? One of them that I just did download had its own active x component built in. I don’t really understand.
ActiveX, in and of itself, is not bad. It is just a programming language. The vast majority of websites that use it, do so for benign reasons that add functionality to the website. ActiveX is only bad when used for evil.
The reason you need to update programs like browsers, Java, Adobe Reader and such, is that the bad guys who write spyware exploit weaknesses in the earlier versions of those programs that allow them to infect your computer. The updates plug those security holes so that they cannot do their dirty work.
Ah, thanks. But what about porn sites that ask you to run Active X? If all that does is help run their movies, then it’s ok, right? Or are the porn sites automatically suspect?
In case this is a serious question, a porn site Active X control (and pretty much any executable programs coming from a porn site) almost certainly cannot be trusted. The promise of movies with nakid women having sex is a great way to lure people to run your malware.
Plus, people are less likely to report problems on porn sites, as they don’t want to admit to going there. Especially if the porn is non-mainstream.
If you really want to try out those sites, invest some time learning how to run a virtual machine. At least, if the virtual machine gets trashed, you can just wipe it without hurting the rest of your computer.
Anyways, there’s usually no reason to run them. Firefox doesn’t use them, and I haven’t encountered a page that doesn’t work on it in years.
Of course it’s a serious question. Why wouldn’t it be? Is there some notion that people here are above looking at pornography? So, how does one know when to trust a website to run Active X? Is it related to your opinion of the product they’re selling?
I think most Dopers would say that porn itself is fine.
But … a big fraction of the porn industry is closely allied with the bad guys. Lousy customer service, subscriptions you can’t cancel, malware, are all much more common on porn merchant sites than cookware merchant sites.
And there is the entire genre of malware sites set up explicitly for the purpose of stealing credit cards & installing keyloggers which just happen to use pix of chix as the bait to get you to click the dangerous button. They tried cookware sales as a cover too, but it didn’t / doesn’t work as well as porn does.
What we/you really need is a reputable Consumer Reports-like site for rating porn sites for honesty & malware-freeness. I don’t have a link to any such; it may not exist. Sounds like a good unmet need. And the market reseach might be kinda entertaining. Certainly better than testing toasters.
>But … a big fraction of the porn industry is closely allied with the bad guys.
Depends on the porn site. IMHO they are many layers above spam and a little above what passes off as acceptable internet marketing (punch the monkey ads, stupid test, etc).
The problem the porn providers face is that they need to make their site as easy as possible for the non-techy crowd, thus that means supporting IE6 still and deploying video codecs, chat apps, or whatever via activex. I think generally they just use windows media for video and you dont get an activex popup much anymore, but it could be a legitimate case. I guess the user really needs to decide if they trust the site and run a virus scan afterwards to be safe.
That sounds like you are describing AOL or Norton! Or just about ANY of the big cellphone companies.
And at least the porn they provide works reliably. Which you often can’t say about these other companies. (They wouldn’t try to make it so hard or charge such ‘termination’ fees if they didn’t have so many unsatisfied customers trying to leave.)
I’d say the average porn site is less of a bad guy than Qwest, et. al.