ActiveX is the weakest link
Thursday, 27 July 2006
Once in a while, it is gratifying to see how Microsoft’s embrace and extend comes back and bite them in the a***. Take Microsoft’s Internet Explorer, back when MS was defending their Windows OS turf against Netscape’s Browser OS. Microsoft, in their infinite wisdom, decided to extend the browser to include ActiveX applets. Now there is already a large base of ActiveX components on the Windows platform, so naturally, adding ActiveX components to web browsers would help entrench Microsoft’s dominance on the client side right?
As history has turned out, the answer is a resounding NO. Despite Microsoft’s security push on Windows XP to secure the operating system (which in-turn brought on Longhorn delays), ActiveX applets has become Internet Explorer’s Achiles heel. Spyware and malware authors are exploiting Active X vulnerabilities to hijack user’s PC, turning once healthy operating system into zombies, controlled by botnets.
Take a look at the Month of Browser Bugs weblog. Almost every Internet Explorer crash is due to a badly written ActiveX component. No matter how hard Microsoft works, the surface area of Active X components is simply too big to defend. Worse still, ActiveX on MS browsers have been supported for years, meaning Microsoft would have to take a quite bit of flak should they even attempt to disable ActiveX support.
Note, I am not referring to malicious ActiveX components, which Microsoft has partially addressed in XP SP2. XP SP2 adds a small hurdle that stops Internet Explorer users from accidentally installing ActiveX components. The crashes referred to above are ActiveX controls developed by Microsoft. A skilled programmer can engineer a crash that lets them install their software on your computer without your permission. I didn’t realize how many there are that are enabled for use with Internet Explorer. Some of them deal with the amazing page transition effects you see when you visit some web sites. Others deal with Windows HTML Help. Useful as they are, I’d rather not have these snazzy things if it means I don’t have to wipe my computer clean every year.
Now, some readers might wonder what about Firefox. Firefox supports applets too. However, these applets are not of the ActiveX variety. Firefox supports Java applets. The difference? ActiveX components are typically developed in C, C++, and VB. C and C++ are programming languages where the programmer has to take extra care to manage memory allocation and deallocation, otherwise, a program simply crashes. ActiveX components written in VB are markedly safer, as long as these VB components do not in turn use ActiveX components written in C or C++. In contrast, applets written in Java (like VB applets) suffer none of the problems of memory management (i.e. does not result in memory exceptions). In addition, Java applets can call a very limited number of routines that are developed in C, and this makes Java runtimes easier to defend against malicious websites.
Microsoft can’t afford to annoy clients who have developed legitimate business applications based on ActiveX applets, but at the same time Microsoft can’t concentrate on new product lines if it is constantly defending undefendable ground. Readers, if you were Bill Gates, what would you do? Would you cut your losses and run?
