ActiveX Controls

Security and Cryptography Security Software Engineering Internet/Online Mike Andrews James A. Whittaker Addison-Wesley Professional How to Break Web Software: Functional and Security Testing of Web Applications and Web Services ActiveX Controls ActiveX is a Microsoft technology that allows multiple programs to share information and file formats. It sprang from OLE (Object Linking and Embedding), which was the mechanism for various Office programs to share data (for example, embedding an Excel spreadsheet into a Word document). After the technology was transitioned to the Web, it was renamed ActiveX (because anything with the letter X in it just sounds cool). ActiveX controls that are downloaded onto a client computer give the Web application more power because ActiveX can use pretty much any API available to normal Windows programs. Obviously, the idea of arbitrary ActiveX controls being installed on a user's machine is a scary proposition. Thus, browsers are programmed to warn of attempts to download these controls and will only do so with the user's permission. In addition, ActiveX controls are now digitally signed as being safe for scripting by their authors, and the browser checks these signatures and verifies that the ActiveX control has not changed since it was registered and that the author is in good standing with the signature authority (which Microsoft has outsourced to VeriSign). ActiveX controls are programs that, when downloaded, have access to nearly any file or piece of information stored on the hard drive. The only sure way to protect against malicious controls is to turn ActiveX off in the browser's security settings. Otherwise, you have to ask yourself how much you trust the community's efforts to ensure that only benign ActiveX controls exist within the habitat of the World Wide Web. Digital signatures only prove who wrote the code and that it has not been tampered with. They do not provide assurance of the quality of the code or its lack of malicious elements. In the past, false signatures have been created (slight misspellings of company names) and have been mistakenly issued (http://news.com.com/2100-1001-254586.html), and additional code (for example, Easter eggs) has slipped through the gaps.