So long ActiveX. Will I miss you?

So long ActiveX. Will I miss you?

Summary: I'm following the advice of US CERT and other security wonks and disabling my ActiveX controls in IE. The big question: Will I miss it?


I'm following the advice of US CERT and other security wonks and disabling my ActiveX controls in IE. The big question: Will I miss it?

The short answer is probably not since I mostly use Firefox. However, there are times when I'll toggle over to IE for various reasons and have hit the ActiveX prompt. But given the latest Facebook, MySpace flaws and a conversation about ActiveX support I had earlier I'm going on an ActiveX diet. CERT has a point.

But I'm more interested in the hard core IE users. Has anyone else taken this step? And has it been painful to live without ActiveX?

You can disable your ActiveX controls by going into Internet Options and then unclicking the mumbo jumbo that Microsoft has on by default.




[ GALLERY: How to use Internet Explorer securely ]

Topics: Enterprise Software, Browser, Microsoft, Software, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Done. Thanks Larry!

    D T Schmitz
    • Update or ActiveX

      Try updating with autoupdate or manual update or whatever way without ActiveX controls and without IE. Btw, is either the WGA "check" or REgistration dependent on ActiveX or IE? Happy hunting.
      • I'm running SP3 so there are no updates unless you are a tester

        D T Schmitz
      • True Irony.

        Isn't it ironic that the very problem that allows intruders in is necessary for MS to use to load updates to keep intruders out.

        Another program that does not work without Active-X is the P2P program Bearshare. Kids use it to download music and video content. I can install it on Linux, but it won't complete without the Active-X spyware vehicle. It installs fine and then throws up a dialog asking for IE. On PC-BSD, there is an installable IE, but it does not have Active-X, so it doesn't work either.
  • Your screenshots are inaccurate

    The shown settings actually do *not* disable ActiveX, if those are the only changes you've made. It's the "Run ActiveX controls and plug-ins" option that needs to be set to "Disabled". Or use the "High" security preset. It doesn't appear that you've done either.

    Detailed instructions for how to disable ActiveX are available here:
  • Yes you will miss it, but users need to force the change

    I disabled it a long time ago except for high security, the problem is that way too many sites require it. It is time for users to tell the sites that they do not want to required to use things like Active X and Flash to get information.
    • SO

      So pick a method of access you like and wait a month... some hacker will devise a way through it. I don't have the answer but disabling active X is not it either.
  • Switched to Firefox with add-ons

    like NoScript. Blocks a reasonable amount of website trash. But it's like any other game war, you install measures, websites install counter-measures, etc. There are sites that still manage to create popups even though I have everything blocked and disabled!

    There are a LOT of sites where you have to enable ActiveX and scripts to get anything done. Sometimes it makes sense because the site has a lot of active content (certain shopping sites). Sometimes it's just because of the ego of the website creator, who wants to make his/her site a technological terror.

    As the focus comes on security, there are a lot of sites out there who are going to get left in the cold if they don't take site and browser security seriously. That means getting rid of unneeded scripts and widgets, and being flexible to alternative browsers like Firefox and Opera. Internet Explorer is still too much of a sieve because of the intentional hooks Microsoft has left in it to exploit, and I think 2008 is going to show some massive increases in identity theft and hijacking because of it.
    terry flores
  • RE: So long ActiveX. Will I miss you?

    How do you add Windows Updates w/o ActiveX?
    • Windows Updates et al

      Refer to the link in forestgump2000's post and follow the instructions to set up your 'trusted sites' security level then add the Microsoft URLs if they're not already included.

      In fact here's the CERT url:
  • what about bank safety, and windows update patches?

    As I asked Ryan about this also.

    Wouldn't it be a better bet to use Add-Ons Administration on IE to turn off everything you _don't_ need?

    That way safety applications like Norton 360's site validation, XPL Link Scanner Pro, etc. can keep protecting that you actually reached the bank instead of a black server, and that its site isn't polluted.

    Further, doesn't Windows Update use an Active-X to perform patching?

    Hope you can get clear advice on these points, Larry, and thanks for passing it on as you do.

    Narr vi
  • Been activex free

    since 1999 :) Another bonus to using alternatives! ]:)
    Linux User 147560
    • You're so cool

      can I be your friend?
  • Panda Security Newsletters.

    I've been receiving the Panda Newsletters for a very long time. They are free and detail the top 10 current mal-ware threats for the week.

    I believe that these attempts may be over-written by certain viruses that take control of the Windows computer.

    The previous poster questioned the effects of removing Active-X on AV programs. My previous work computer was protected by Symantec Corporate AV. The computer was fully updated running XP SP2. I ran additional tools and found 2 trojans, 2 key-loggers and rootkits that were over 20 days old. I removed everything manually. It illustrated to me that the current AV systems are grossly inadequate.

    I have used OSS for about 4 years and have had no problems and feel that they provide much more security for banking and other financial transactions.
  • RE: So long ActiveX. Will I miss you?

    Yes, I'd miss it. My employer's SSL VPN unfortunately relies upon a proprietary ActiveX control. I do almost all the rest of my browsing with Firefox, so it's really not too much of an issue (as regards either functionality or security) otherwise.
  • Microsoft: "do as i say, not as i do"

    Microsoft ?told? us developers to stop using/developing activeX controls years ago, yet Microsoft (and related developer) sites remain the most hypocritical in this regard.

    ActiveX is the ?easy way out?, but is less secure. So as a developer, as Microsoft pops up yet another ?this site requires an ActiveX control? popup, it always makes me wonder: If Microsoft can?t get things to work in their browsers without activeX (eg Live Meetings), what chance does an average web developers have without billion dollar resources backing them up?

    I don?t develop with ActiveX, but I think a lo of developers do take the ?easy way out? since some things are extremely hard to develop for a browser, if not impossible, without it. It?s probably the reason there are so many sites still using it.
  • Let's be fair, MS didn't write the problematic code

    There's a hole in facebook's ActiveX control. That isn't installed by IE by default. A user has to explicitly accept that control. Exactly the same as a plugin under Firefox or Opera.
    Disabling ActiveX and moving to Firefox is just pretending that the problem doesn't exist. If anything, it is more dangerous as everyone believes that these alternate browsers are somehow safer. They're not. they are just as vulnerable to bad 3rd party code as anyone else. As an example, the latest Flash plugin is able to take down Firefox just as easily as IE. That is the fault of Adobe - not ActiveX; not plug-ins; not MS. It is incompetance on the part of Adobe's development team. Equally, the Facebook exploit is due to poor software from Facebook.
    • agree

      On my play system, I have disabled ActiveX under IE and plugins/javascript/Java under Firefox. On my work system, I hasve high security and still only go to known sites. Both measures sure limit my web browsing.
  • Active-X at work.

    Active-X at work.

    Several years ago, I was asked to fix a relatives' computer which was virus infested. She had three young children that used the computer.

    I removed the viruses, cleaned and then defragmented the drive. The hardest and most annoying thing to remove was adware associated with a web site called Bonsai-Buddy. (A monkey would jump around the screen).

    I finally felt I got it off and reset the home page to Google.

    About 45 minutes later I was using the computer and noticed that the home page was changed back to Bonsai-Buddy. This was troubling because I knew none of the kids knew how to set a home page.

    I changed it back to Google.

    Then, A few seconds later, A gray pop up appeared with the words: "Some meanie changed your home page. Click here to change it back to Bonsai-Buddy"

    If you want to test your security, give your system to kids for six months and see what happens. After many return visits I switched them over to Freespire and later to PC-BSD.
    • Mwa-hahahahahahahaaa... Bonsai-Buddy!


      I had a good laugh at Bonsai-Buddy...

      Talk to your relatives and have the relatives tell their kids to be careful about what they download and whenever they visit any websites using search engines such as Google. If I were the relatives, I'd change the homepage to It helps the relatives and kids know if a website may contain adware/spyware.
      Grayson Peddie