ActiveX is a Microsoft framework that incorporates a set of software controls that carry out specific functions within Windows. Microsoft first introduced ActiveX in 1996 as part of its Component Object Model (COM) and Object Linking and Embedding (OLE) technologies. Think of ActiveX controls as modules or building blocks that add functionality to software applications. For example, developers often use a series of ActiveX controls to build or enhance software applications for Windows. For end users, ActiveX makes Web sites more interactive with animations, forms, and even spreadsheet-like calculators.
While ActiveX is used in many different Windows applications, most users first encounter ActiveX controls through their Web browsers. For example, an ActiveX control may be required before downloading a program from the Internet or for conducting online banking transactions. Common ActiveX controls include toolbars, animations, stock tickers, and video and music. Security settings are often set to prompt the user to authorize the installation of an ActiveX control.
ActiveX is a useful technology for developers and ends users alike, but it has also been exploited by malware makers. ActiveX, when programmed with malicious intentions, can carry out dangerous operations on a user’s computer. For example, “driveby downloads” have become more common. When a user visits a website with malicious ActiveX controls, the controls run and download malware onto the user’s computer in the background. This malware installs without the user’s consent or knowledge and can be capable of just about anything the malware developer programmed ranging from collecting personal information or allowing the computer to be taken over by remote hackers.
Because of the powerful nature of the ActiveX technology and the potential for abuse by malware makers, Internet Explorer has several ActiveX security precautions in place. For example, Internet Explorer’s Medium-High security setting will prompt the user before potentially unsafe content is downloaded and “unsigned” ActiveX controls will not be downloaded. These settings can be tweaked by going into Internet Explorer’s Tools menu, clicking Internet Options, clicking the Security tab, clicking the Custom button, and scrolling down to the ActiveX section.
ActiveX controls are often referred to as browser “add-ons.” Those that are marked safe for scripting typically install without user interaction. However, it’s not unusual to be prompted to install an ActiveX control that hasn’t officially been approved by Microsoft. Before proceeding, consider whether or not the control seems necessary as well as whether or not you trust the Web site. For example, if you encounter an ActiveX control related to downloading an application that you just purchased from a respected publisher, then the ActiveX control will likely pass the test. One, it is necessary in order for the download to proceed, and two, you trust the Web site. On the other hand, if you land on a random Web page that wants to install an ActiveX control for no apparent reason, then the ActiveX control hasn’t passed the test. One, you are unclear about what the ActiveX control intends to do, and two, you do not trust the site.