Microsoft blocking of old ActiveX not enough

Microsoft blocking of old ActiveX not enough

Summary: It's a good thing that IE will warn you before running outdated versions of important ActiveX controls, but it's such a small thing compared to what Microsoft could do.


For about the last 12 years Microsoft has been cleaning up security messes in Windows that the company created in prior years. Next Tuesday — Patch Tuesday — the company will be adding another feature to clean up old messes, i.e. the ability to block old versions of ActiveX controls, a very common exploit vector on Windows.

My colleague Ed Bott calls this change "monumental," and it is important, especially as it focuses initially on the single greatest problem in this area, Oracle's Java. But it's not monumental enough for me. Microsoft could take a true giant step towards solving the update problem with third-party Windows programs by allowing third parties to plug into the Windows Update mechanism. It's clear that Microsoft is not going to do this, which limits it to comparatively small changes such as the one in the news now. This new change is certainly a good thing, but it leaves me wanting. It is an improvement on some of Microsoft's other hack solutions, such as delivering ActiveX kill bits through Windows Update.


The guide to password security (and why you should care)

The guide to password security (and why you should care)

Find out how your password security can be compromised, and how to create and manage secure passwords.

What if Microsoft could make it really, really easy for the vast majority of users to keep key third party programs up to date? To do this it would need to leverage one of its greatest assets, the Windows Update infrastructure. It should allow third parties to deliver their updates using Windows Update, a process which is automatic by default on all Windows systems for many years, and which users have learned to trust.

If this sounds familiar, it may be because I've been making this arguement for almost 10 years, most recently last fall. I've never gotten a straight answer on it, but it's clear to me that Microsoft doesn't want to be responsible for delivering other people's code. That seems like a perfectly reasonable argument until you consider that the Windows Store model for Windows 8+ and Windows Phone (and, to a lesser extent, Xbox) is built around being the sole source for delivering everyone else's code, including the latest updates. At the same time, Microsoft integrates Adobe Flash into Internet Explorer 10 and later.

App development rules for these environments are strict and the developers must pay Microsoft for the privilege of being a developer and of testing and hosting their apps. But the problems are far from insurmountable. For one thing, I see no reason why Microsoft would need to host anyone else's code. For another, Microsoft could set terms for allowing third parties into the system.

One option would be for the Windows Update servers to serve code hosted on other vendors' servers. Or Microsoft could license Windows Update server software to the third parties to run on their own servers, and their installation process could configure the Windows Update client to look for updates on those servers as well. Or Microsoft could host the third party code

Would Oracle, Adobe and others want to have Microsoft deliver their code rather than do it themselves? There are good reasons why they would want it: First, their update infrastructures cost money to run. Many vendors would still need to serve updates to Mac and Linux users, so they still would need an infrastructure, but the demand on it and the bandwidth consumed would be greatly lessened.

Second, it would likely give their customers a better experience, especially medium-size organizations which could easily use WSUS to manage the updates. Think of it as just another operating system service, and all ISVs use lots of operating system services. If I were Microsoft I would price the service to break even so as to encourage adoption as much as possible, but there's nothing wrong with making money on it.

But it's not going to happen. If it were going to happen, it would have happened already. I would feel better about it all if I saw the new Modern UI apps taking over the market, but signs of that are scarce. As Windows desktop programs persist, so will the problem of old versions.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • SCUP

    It would be ideal but MS already offers SCUP for enterprise customers but 3rd party vendors don't take them up on it. The ONLY venders that do are Adobe, Dell, HP and Fujitsu. Do you have any idea how flipping annoying trying to deploy Java, QuickTime, and other 3rd party updates to hundreds of PCs? The vendors change the silent update method every time they release an update. Windows update and SCUP/WSUS rely on structured updates, most 3rd parties are incompetent in this area. If the venders can't get their s**t together why should MS do it for them?
    • Funny but Chrome has no trouble staying up to date.

      Never have to think about it and it runs on all platforms; something MS can't seem to manage on their own OS's.
  • Red Hat provides its RHEL subscribers both OpenJDK and Oracle's Java JDK

    binary updates via its repository. Oracle Java JDK updates wouldn't be available through Red Hat's RHEL repository without Oracle's consent.

    I can't see why Oracle would not work with Microsoft to provide its proprietary Java JDK and JRE updates through Windows Update.

    Don't forget that Adobe Software allows both Google (via the Chrome web browser) and Microsoft (as mentioned in the article for IE11 on Windows 8) to deliver Flash Player updates to users. In addition, Adobe allows various Linux distro repositories to provide its older Flash Player version, including updates, to users.

    P.S. Secunia made a run at 3rd party software updates through Microsoft (or Windows) Update several years ago and failed. As a result, its software update service is distinct from Microsoft's.
    Rabid Howler Monkey
  • yes and no

    Yeah it would be great if vendors could ride the MS Update train but then you have multiple threat vectors to deal with. There would have to be stringent controls and then everybody would whine that MS is too heavy handed and demands too much for them to participate.

    In reality they could get off their dead horses and create a consortium update mechanism which you could register with or not to get updates.

    In the end it comes down to vendors being too lazy and cheap to manage their software.
    • greywolf7: "vendors being too lazy and cheap to manage their software"

      Here's what currently happens with Windows:

      o Install Oracle Java JDK/JRE and both a new service and startup process are installed that manage updates
      o Install Google's Chrome web browser and a new service is installed that manages updates
      o Install Mozilla Firefox web browser and a new service is installed that manages updates

      This has led to both Windows service and startup process proliferation. Both are overkill.

      Microsoft has chosen to manage Flash Player updates for Internet Explorer in Windows 8. There's no good reason that it can't also do the same for Java. Both of these plug-ins account for the lions share of exploits on Windows.

      In addition, Microsoft could choose to sandbox the Java Active-X control in Internet Explorer as it does with the Flash Player Active-X control. Not that IE protected mode is a security boundary or anything:
      Rabid Howler Monkey
  • Won't help

    Updates won't help. There's never been a case where a reasonably powerful remote software execution environment has not been easily compromised. The key is only locally executing code from trusted sources.
    Buster Friendly
    • For once, I agree with you completely.

      One of the nice things with RH based systems is the repository use. It is possible to have multiple repositories - allowing the admin to designate those that are trusted.

      In our case, we had a local repository, managed and maintained centrally. It would receive updates from various designated repositories, used for local validation - then the packages would be moved to validated repository for general local use.

      No problems. A complete server could be rebuilt from scratch in under 15 minutes if need be. Or a new one created (especially if a duplicate of one already defined - only had to change IP/hostname for the DHCP/DNS configuration).
      • I'm not talking abou tthat

        I'm talking about executing dynamic code from web sites and not installing software. Obviously you don't want to install software from untrusted sources as there's no attempt to protect the system from that.
        Buster Friendly
        • Sorry...

          Misunderstood. It looked like you were talking about updates to your system.
  • That would cause a huge mess

    You know people just don't let go of old programs. Old programs that have just run for years that rely on other specific versions of other tech like Java. So, what Microsoft is doing is a step in the correct direction, but you have to consider that it needs to be a well thought out plan of action and not just OK, now force updates to every ones software. You know how many business critical apps would be broken?

    Could this be done? Yes, but what should be updated and how to handle the communications and the safeguards is a big deal. Of cause eventually upgrading the Windows 8 or Windows 9 will help with a lot of that. Because apps can be automatically updated on those (of course not LOB apps however).
  • I've advocated

    that they should do this since the turn of the century... It isn't a new concept, but Redmond won't do it and probably none of the third parties would do it either.

    There are probably a lot of legal hurdles as well. If the update coming over a Redmond server from a third party cripples a machine, who is responsible? If it leaves the machine open to attack, who is responsible?
    • I think it's financial

      I think it's financial. If you do your updates through the OS vendor, you lose the ability to sell package deals and whatnot. A good example is Google sneaking in a Chrome install when you updated Flash. I bet Adobe made some bucks off that.
      Buster Friendly
  • 3rd party software IS the enemy

    The last thing the operating system needs is nesting closer with 3rd party software...3rd party software must be working with bear minimum of data and not exporting data...The myriad ways to export data and generate ping communication channels is mind boggling...Microsoft needs to keep those applications boxed neatly in controlled areas and not offer those applications any opportunity for mischief which generally includes basic hacking and when you get sniffers, copiers in the system the next thing is bye bye data... Common access to memory needs to be replaced with domain-restricted access to data blocks and it is harder than it looks but not impossible for an operating system to take charge of all assets... one idea is to limit daily data egress for particular types or instances of memory....there is a lot of useful parallel functions to deploy in future system networks as well... verify an IP isn't spoofed in one process parallel to your normal network connection ... if you can choose which multiple things to do at once you can slow hacking with isolation, randomization if you have the patience, know how to break down the real abstraction of every process...very difficult.... all commands need to be screened rather than someone reprogramming hardware and such with direct machine language commands...Microsoft can do much much better
  • Perhaps they could make a third party software update mechanism...

    ...which functions like Windows Update but be independent of Windows Update. Microsoft could build in the API's and third parties could hook into it. Third parties maintain their own repositories, they update those repositories when necessary, and they take responsibility for them. The interface could provide a checklist of repositories and they can be enable/disabled/scheduled independently.
  • Microsoft could do with Windows Update what Linux have done for years

    Much before there were those app stores, Linux users had automatic, reliable and secure updates for their preffered distro packages and also third-party (even proprietary!) software.

    I use Fedora Linux. I have Adobe Flash and Adobe Reader, some Oracle packages, some IBM ones, even VMware, besides many thirt-party software from RPMfusion and other sites.

    All them automatically updated using Fedora default package management, yum, desktop pop-up informing about updates, GUI front-ends to thoose what to install and update, and what not. All packages digitally signed so I know I ain't installing spoofed software. Each vendor providing their own updates at their own pace, without having to pay Fedora / Red Hat for it.

    The app store idea is great. But it's just one instance of that Linux had years before. And Microsoft could have adopted the idea much before app stores were "invented". Just copy ideas from others, like they did when creating Active Directory and Internet Explorer ;-).

    If it works for so many companies (Red Hat, Oracle, Adobe, IBM, WmWare, community sites, ONGs, etc) why it would'nt work for Microsoft and Windows ISVs?
    • Technically they already have.

      With the Windows Store.
      • Have not

        That's why the article was written. Last time I checked, I could not update windows desktop software from windows store
    • 3rd party cooperation

      Apparently, Microsoft have always struggled to get access to things like drivers. Bizarrely, hardware manufacturers would rather force customers to visit their own site (and download a load of branded cruft) to get updates, rather than let Microsoft bundle it with Windows updates. I suppose I can see some logic in that, they'd rather ram branding down the throat of some of their users than hand more control to Microsoft and have it invisible. Not good for their users, of course, but they've already got the money by then!

      Something like an option in Windows installer (so an MSI file could specify "I'm v1.1 of Blah, updates will be available from") would be a nice solution IMO: MS Update could just check that URL when it polls the MS servers, and present any update options from that URL with the rest.
  • This is why enterprises invest in third-party patching tools like LANDesk

    LANDesk Patch Manager has been our go-to vulnerability detection and remediation solution for years. We got tired of the MS-only limitations of WSUS.
  • That what they call on Linux..

    ..adding a ppa but then Linux users are a lot more security savvy than their windows counterparts