6

I do not have experience with web development, but I have read that ActiveX should be abandoned because it is insecure, in favour of other scripting methods such as JavaScript.

What exactly does ActiveX do, why is it considered insecure and how is it different from JavaScript and VBScript?

I would prefer a simple explanation that does not go into too much technical details (if possible).

kalina
  • 3,354
  • 5
  • 20
  • 36
user13267
  • 359
  • 6
  • 16

2 Answers2

8

ActiveX is a remotely exploitable attack surface exposed by the browser. ActiveX components are classes exposed to JavaScript. By their nature, an ActiveX component is performing sensitive functionality not normally exposed to JavaScript, and this functionality could be exploited. ActiveX components can be written in C/C++ which means ActiveX components can suffer from buffer overflow or other memory corruption vulnerabilities. Many exploits have been written to leverage vulnerabilities in ActiveX components, especially ActiveX component written by Microsoft and enabled by default.

Exploitation of an ActiveX component often leads to remote code execution on the target system.

rook
  • 46,916
  • 10
  • 92
  • 181
2

A number of desktop applications have historically made Scriptable Objects, often the developers do not consider the security implications of random web site being able to script these objects. An example from many years ago was Microsoft Outlook made the contact list and the ability to send email scriptable. So the user navigating to a web site could cause the user to send an email to every contact listed in there Outlook application.

In addition to designed functionality misused, there is the likelihood that desktop application have not been designed with network security in mind, due to their normal use-case of being used by one trusted user. And as such have security weakness.

I went looking for details on the send email vulnerability and could not find it due to the share number of results for googling for outlook activex security patch send email.

What exactly does ActiveX do, why is it considered insecure and how is it different from JavaScript and VBScript?

ActiveX is a way of accesses locally installed applications, it is used from JavaScript or VBScript. For example the following javascript code initializes access to Microsoft Excel if installed and if security controls are passed.

var ExcelApp = new ActiveXObject("Excel.Application");
var ExcelSheet = new ActiveXObject("Excel.Sheet"); 

// Make Excel visible through the Application object.
ExcelSheet.Application.Visible = true;
// Place some text in the first cell of the sheet.
ExcelSheet.ActiveSheet.Cells(1,1).Value = "This is column A, row 1";
// Save the sheet.
ExcelSheet.SaveAs("C:\\TEST.XLS");
// Close Excel with the Quit method on the Application object.
ExcelSheet.Application.Quit();

Without ActiveX extensions installed JavaScript within the browser only allows interaction with the browser. Browsers are designed with the explicit use case of executing limited code from untrusted sources safely. While JavaScript can only interact with the harden surface of the browser it is less likely for security weaknesses to be found, ActiveX greatly expands the attack surface for a malicious website.

David Waters
  • 2,802
  • 2
  • 14
  • 14