Spyware :: Information :: ActiveX




ActiveX Issues

ActiveX technology was developed by Microsoft for Internet Explorer. The ActiveX object can be placed within a webpage, and works differently from Java as the code is distributed as executable files, and therefore only work on one platform. There are major security risks regarding ActiveX objects. With Java you would have appropriate policies settings in place to prevent java applets from doing intentional harm to your system. For example, Java applets can't read or write from a local drive on your computer. ActiveX however, has none of these, they can literary do anything to your system. The security of an ActiveX Object replies solely on the digital signature (called code signing). An ActiveX object must be distributed by a valid Certificate from a CA like Verisign. The developer of an ActiveX object states that the software is free from viruses and other malicious components when the certificate is given. It is therefore down to the user to try and judge whether the code is safe of not.

An unsafe ActiveX control is when there is a problem with the certificate (ie. not valid), or it has not been signed at all, otherwise the control is marked as safe. Whereas the Certificate can prevent scripts been distributed anonymously or being tampered with it cannot insure exactly how safe the code is. However the system can work as any known malicious scripts will have a known source. If it is reported to the CA that this code is not safe they will most likely revoke the certificate. However this will not stop scripts from being available, it can still be accessible but as an unsigned ActiveX control.

However this leads to a problem, the maliciously coded controls might not be obviously harmful. For example, the ActiveX object could secretly record all form data you fill in and send them secretly or plant a virus on your system. It's possible that the cause, in this case the ActiveX control, will never be "discovered" and therefore might never be marked as unsafe and left to stay and damage more systems.

ActiveX and Spyware

Most spyware programs at present use ActiveX Objects to install themselves onto your system. They're scripts are usually signed as well. The reason is because they explain everything in the disclaimer (although sometimes a long read). Therefore, it's not strictly illegal what they're doing so their certificates tend not to get revoked. This is the main problem as to why Spyware get installed unintentionally. People see the Security Warning and don't treat it as a warning but as a sign of approval by Verisign of whatever other CA approved it. Really the only thing stopping the spyware getting installed will be the user not clicking "yes" to accept the download. The best situation for the Supplier of the spyware would be that the user has low security settings and therefore bypass the security warning completely (making it a drive-by install), this could happen if the security settings are set to "enable" instead of "prompt" for the signed ActiveX objects, I'm sure some users have this security setting that aren't sure on what to set it to.

I think the problem of users installing it unintentionally will remain an on going problem, either the law has to change or the way ActiveX objects work have to be reconsidered. The fact that it's not illegal makes it acceptable by the Certificate Authorities view so they therefore provide a valid certificate, making it a signed script and therefore, wrongly considered by some to be always safe.