Is Active-X really so bad?

Discussion in 'Computer Security' started by Jackeline D, Apr 11, 2004.

  1. Jackeline D

    Jackeline D Guest

    In my house we like to download to Yahoo LAUNCH music video clips.
    http://launch.yahoo.com/. I use IE because Firefox and Opera do
    not work on sites like this.

    Following some warnings about Active-X I went to IE > Tools >
    Internet Options > Security > Custom level > and set the following:

    (1) Download signed Active-X controls - PROMPT
    (2) Download unsigned Active-X controls - PROMPT
    (3) Initialize and script Active-X controls not safe - PROMPT
    (4) Run Active-X controls and plug-ins - PROMPT
    (5) Script Active-X contols marked safe for scripting - PROMPT

    The result now is that Yahoo LAUNCH (and other web sites) are
    almost unusable because some message pops up asking if I approve of
    this or that to do with Active-X.

    I would *never* accept a program via Active-X whether it is marked
    as safe or not. So do I really need to switch off all these
    Active-X options in order not be be exposed to some danger?

    ---

    As a bit of background, I found this:
    http://www.cs.princeton.edu/sip/java-vs-activex.html
    "The main danger in ActiveX is that you will make the wrong
    decision about whether to accept a program."

    Is that the main danger? That's all? I can live with that!

    But is that site incorrect in what it suggests? Another site says:
    "some security experts say ActiveX does not deserve its bad
    reputation".
    http://www.newsfactor.com/story.xhtml?story_id=20390

    So mayb eit is all overstated by some people?

    Can you folks here please advise me on how to proceed. Should I
    set (4) about to ACCEPT? Or instead should I use the "trusted
    sites" feature in IE? Or both? Or something else?

    Thanks!
    Jackeline D, Apr 11, 2004
    #1
    1. Advertising

  2. Add the site(s) to your IE Trusted Sites - does that help?

    Jackeline D wrote:
    > In my house we like to download to Yahoo LAUNCH music video clips.
    > http://launch.yahoo.com/. I use IE because Firefox and Opera do
    > not work on sites like this.
    >
    > Following some warnings about Active-X I went to IE > Tools >
    > Internet Options > Security > Custom level > and set the following:
    >
    > (1) Download signed Active-X controls - PROMPT
    > (2) Download unsigned Active-X controls - PROMPT
    > (3) Initialize and script Active-X controls not safe - PROMPT
    > (4) Run Active-X controls and plug-ins - PROMPT
    > (5) Script Active-X contols marked safe for scripting - PROMPT
    >
    > The result now is that Yahoo LAUNCH (and other web sites) are
    > almost unusable because some message pops up asking if I approve of
    > this or that to do with Active-X.
    >
    > I would *never* accept a program via Active-X whether it is marked
    > as safe or not. So do I really need to switch off all these
    > Active-X options in order not be be exposed to some danger?
    >
    > ---
    >
    > As a bit of background, I found this:
    > http://www.cs.princeton.edu/sip/java-vs-activex.html
    > "The main danger in ActiveX is that you will make the wrong
    > decision about whether to accept a program."
    >
    > Is that the main danger? That's all? I can live with that!
    >
    > But is that site incorrect in what it suggests? Another site says:
    > "some security experts say ActiveX does not deserve its bad
    > reputation".
    > http://www.newsfactor.com/story.xhtml?story_id=20390
    >
    > So mayb eit is all overstated by some people?
    >
    > Can you folks here please advise me on how to proceed. Should I
    > set (4) about to ACCEPT? Or instead should I use the "trusted
    > sites" feature in IE? Or both? Or something else?
    >
    > Thanks!
    Lanwench [MVP - Exchange], Apr 12, 2004
    #2
    1. Advertising

  3. Jackeline D

    kulm_nd Guest

    Have you added Yahoo to your TRUSTED zone? Beware of unknown sites if you
    turn on ActiveX but you can have some Trusted sites to avoid having to ok
    scripts and ActiveX.

    --

    ************************************************

    g-w


    "Jackeline D" <> wrote in message
    news:94C8EF3A0D46753F89A@130.133.1.4...
    > In my house we like to download to Yahoo LAUNCH music video clips.
    > http://launch.yahoo.com/. I use IE because Firefox and Opera do
    > not work on sites like this.
    >
    > Following some warnings about Active-X I went to IE > Tools >
    > Internet Options > Security > Custom level > and set the following:
    >
    > (1) Download signed Active-X controls - PROMPT
    > (2) Download unsigned Active-X controls - PROMPT
    > (3) Initialize and script Active-X controls not safe - PROMPT
    > (4) Run Active-X controls and plug-ins - PROMPT
    > (5) Script Active-X contols marked safe for scripting - PROMPT
    >
    > The result now is that Yahoo LAUNCH (and other web sites) are
    > almost unusable because some message pops up asking if I approve of
    > this or that to do with Active-X.
    >
    > I would *never* accept a program via Active-X whether it is marked
    > as safe or not. So do I really need to switch off all these
    > Active-X options in order not be be exposed to some danger?
    >
    > ---
    >
    > As a bit of background, I found this:
    > http://www.cs.princeton.edu/sip/java-vs-activex.html
    > "The main danger in ActiveX is that you will make the wrong
    > decision about whether to accept a program."
    >
    > Is that the main danger? That's all? I can live with that!
    >
    > But is that site incorrect in what it suggests? Another site says:
    > "some security experts say ActiveX does not deserve its bad
    > reputation".
    > http://www.newsfactor.com/story.xhtml?story_id=20390
    >
    > So mayb eit is all overstated by some people?
    >
    > Can you folks here please advise me on how to proceed. Should I
    > set (4) about to ACCEPT? Or instead should I use the "trusted
    > sites" feature in IE? Or both? Or something else?
    >
    > Thanks!
    kulm_nd, Apr 12, 2004
    #3
  4. Jackeline D

    billh Guest

    "Jackeline D" <> wrote in message
    news:94C8EF3A0D46753F89A@130.133.1.4...
    > In my house we like to download to Yahoo LAUNCH music video clips.
    > http://launch.yahoo.com/. I use IE because Firefox and Opera do
    > not work on sites like this.
    >
    > Following some warnings about Active-X I went to IE > Tools >
    > Internet Options > Security > Custom level > and set the following:
    >
    > (1) Download signed Active-X controls - PROMPT
    > (2) Download unsigned Active-X controls - PROMPT
    > (3) Initialize and script Active-X controls not safe - PROMPT
    > (4) Run Active-X controls and plug-ins - PROMPT
    > (5) Script Active-X contols marked safe for scripting - PROMPT
    >
    > The result now is that Yahoo LAUNCH (and other web sites) are
    > almost unusable because some message pops up asking if I approve of
    > this or that to do with Active-X.
    >
    > I would *never* accept a program via Active-X whether it is marked
    > as safe or not. So do I really need to switch off all these
    > Active-X options in order not be be exposed to some danger?
    >
    > ---
    >
    > As a bit of background, I found this:
    > http://www.cs.princeton.edu/sip/java-vs-activex.html
    > "The main danger in ActiveX is that you will make the wrong
    > decision about whether to accept a program."
    >
    > Is that the main danger? That's all? I can live with that!
    >
    > But is that site incorrect in what it suggests? Another site says:
    > "some security experts say ActiveX does not deserve its bad
    > reputation".
    > http://www.newsfactor.com/story.xhtml?story_id=20390
    >
    > So mayb eit is all overstated by some people?
    >
    > Can you folks here please advise me on how to proceed. Should I
    > set (4) about to ACCEPT? Or instead should I use the "trusted
    > sites" feature in IE? Or both? Or something else?
    >
    > Thanks!


    Short answer is that if you only go to reputable sites you aren't likely to
    have a problem. I have browsed with ActiveX on for years using MS Internet
    Explorer and haven't had trouble. However, I stay away from seedy sites,
    cracker sites etc. Unfortunately it only takes one rogue site and you'll
    have a problem. I regularly run Adaware6, Spybot and a anti-virus program.
    The only thing I regularly find are some dull tracking cookies.
    Billh
    billh, Apr 12, 2004
    #4
  5. Jackeline D

    Gary Guest

    Gary, Apr 12, 2004
    #5
  6. "billh" <> wrote:

    > Short answer is that if you only go to reputable sites you
    > aren't likely to have a problem. I have browsed with ActiveX
    > on for years using MS Internet Explorer and haven't had
    > trouble. However, I stay away from seedy sites, cracker sites
    > etc. Unfortunately it only takes one rogue site and you'll
    > have a problem. I regularly run Adaware6, Spybot and a
    > anti-virus program. The only thing I regularly find are some
    > dull tracking cookies. Billh



    But what exactly is it that might happen to their PC if they go to
    a rogue site?
    Peter Rossiter, Apr 12, 2004
    #6
  7. Jackeline D

    Leythos Guest

    In article <94C9DA8DF264F471AE@130.133.1.4>, says...
    > "billh" <> wrote:
    >
    > > Short answer is that if you only go to reputable sites you
    > > aren't likely to have a problem. I have browsed with ActiveX
    > > on for years using MS Internet Explorer and haven't had
    > > trouble. However, I stay away from seedy sites, cracker sites
    > > etc. Unfortunately it only takes one rogue site and you'll
    > > have a problem. I regularly run Adaware6, Spybot and a
    > > anti-virus program. The only thing I regularly find are some
    > > dull tracking cookies. Billh

    >
    >
    > But what exactly is it that might happen to their PC if they go to
    > a rogue site?


    A PC that is not properly patched, even without active-x controls, will
    run the risk of being compromised by back-doors, droppers, etc...

    If you visit new sites with Internet Security set to "Highest" you stand
    a much better chance of NOT being compromised.

    I've seen sites open shell apps that can actually run code at the users
    privileges level on their system, you should always run as a User level
    account on a Windows box when not performing administration functions.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Apr 12, 2004
    #7
  8. Jackeline D

    Mailman Guest

    On Mon, 12 Apr 2004 21:29:05 +0100, Peter Rossiter wrote:

    > But what exactly is it that
    > might happen to their PC if they go to a rogue site?


    An ActiveX control is a bit like a Java applet, but it is a real
    (executable) program. That means that it runs with the exact privileges of
    whatever user is logged-in, but without the protection offered by the Java
    sand-box (which is pretty good, even if not perfect).

    I leave the rest to your imagination.
    --
    Mailman
    Mailman, Apr 13, 2004
    #8
  9. Mailman <> wrote:

    >> But what exactly is it that might happen to their PC if they
    >> go to a rogue site?

    >
    > An ActiveX control is a bit like a Java applet, but it is a
    > real (executable) program. That means that it runs with the
    > exact privileges of whatever user is logged-in, but without
    > the protection offered by the Java sand-box (which is pretty
    > good, even if not perfect).
    >
    > I leave the rest to your imagination.
    > --


    Can such a program run automatically or does the user have to click
    something to allow it to run?
    Peter Rossiter, Apr 13, 2004
    #9
  10. Runs automatically if that's how you've setup IE. YOu can ask IE to ask
    your permsision to run ActiveX programs when it detects them, but it
    doesn't explain to you what it will do or anything.

    Hope this is useful to you. Let us know.

    rms



    Peter Rossiter wrote:
    > Mailman <> wrote:
    >
    >
    >>>But what exactly is it that might happen to their PC if they
    >>>go to a rogue site?

    >>
    >>An ActiveX control is a bit like a Java applet, but it is a
    >>real (executable) program. That means that it runs with the
    >>exact privileges of whatever user is logged-in, but without
    >>the protection offered by the Java sand-box (which is pretty
    >>good, even if not perfect).
    >>
    >>I leave the rest to your imagination.
    >>--

    >
    >
    > Can such a program run automatically or does the user have to click
    > something to allow it to run?
    Rob Schneider, Apr 13, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?ISO-8859-2?Q?Rafa=B3_=A3o=BFy=F1ski?=

    Thunderbird filters "active" but not "active"

    =?ISO-8859-2?Q?Rafa=B3_=A3o=BFy=F1ski?=, May 14, 2005, in forum: Firefox
    Replies:
    5
    Views:
    639
    Moz Champion
    May 18, 2005
  2. =?Utf-8?B?U3VzaGls?=
    Replies:
    1
    Views:
    691
    Wayne
    Feb 16, 2006
  3. Replies:
    12
    Views:
    2,863
    Michael Alan Chary
    Feb 23, 2005
  4. Replies:
    0
    Views:
    469
  5. John

    Bad media, bad files or bad Nero?

    John, Dec 31, 2007, in forum: Computer Information
    Replies:
    23
    Views:
    1,187
    Keith
    Jan 8, 2008
Loading...

Share This Page