As expected, Microsoft today posted a Web site called “Web Executable Security Advisor” that defends ActiveX and explains the pros and cons of ActiveX, Java, and other Internet technologies. The site was planned after the news earlier this month that German hackers used an ActiveX control to steal money from people’s accounts electronically.
Microsoft’s argument for ActiveX is that any executable program—be it an ActiveX control, Java applet, or Netscape plug-in, that runs across the Internet has inherent security risks.
“If people let a stranger in the house and the stranger tied them up and stole their VCR,” said Tod Nielsen, general manager of developer relations at Microsoft. “Do they go to the police or move into another house?”
That’s a bit of a stretch, since most people don’t understand the security risks that ActiveX controls can contain. A better comparisons would be people changing the channels on the TV and having the TV suddenly tie them up and steal the VCR. No expects that the happen either, but that’s essentially what an ActiveX control can do to their computer. Think about that for a second.
Sorry, but “ActiveX security” is an oxymoron.
Microsoft has pledged to increase ActiveX security and I suppose this Web site is a good first step toward informing users about potential security risks. On the other hand, who’s ever going to see it?
Want more information?