SEARCH

How-To Geek

What ActiveX Controls Are and Why They’re Dangerous

microsoft-download-manager-activex

ActiveX controls are Internet Explorer’s version of plug-ins. For example, Internet Explorer’s Flash player is an ActiveX control. Unfortunately, ActiveX controls have been a significant source of security problems.

ActiveX controls are essentially pieces of software and have access to your entire computer if you opt to install and run them. If you’re using Internet Explorer, websites can prompt you to install ActiveX controls — and this feature can be used for malicious purposes.

What ActiveX Controls Do

An ActiveX control is a small program for Internet Explorer, often referred to as an add-on. ActiveX controls are like other programs — they aren’t restricted from doing bad things with your computer. They could monitor your personal browsing habits, install malware, generate pop-ups, log your keystrokes and passwords, and do other malicious things.

ActiveX controls are actually not Internet Explorer-only. They also work in other Microsoft applications, such as Microsoft Office.

Other browsers, such as Firefox, Chrome, Safari, and Opera, all use other types of browser plug-ins. ActiveX controls only function in Internet Explorer. A website that requires an ActiveX control is an Internet Explorer-only website.

activex-control-uac-prompt

Security Concerns

You should avoid installing ActiveX controls unless you trust their source. Certain ActiveX controls are normal — for example, if you’re using Internet Explorer you probably have the Flash Player ActiveX control installed — but you should avoid installing other ActiveX controls if possible.

For example, while Oracle is a trustworthy corporation that isn’t out to infect your computer (unless you count the Ask Toolbar they slip into updates), the Java ActiveX control has security vulnerabilities and could be used to infect your computer. The more ActiveX controls you install, the more websites can take advantage of their problems to damage your computer. Reduce your attack surface by uninstalling potentially vulnerable ActiveX controls you don’t use.

Modern versions of Internet Explorer include features like ActiveX Filtering, Protected Mode, and “killbits” that prevent vulnerable ActiveX controls from running. Unfortunately, ActiveX controls are unsecure by their very design and nothing can be done to make them completely secure.

activex-protected-mode-security-warning

Managing ActiveX Controls

You can view the ActiveX controls you have installed by clicking the gear menu in Internet Explorer and selecting Manage Add-ons. Click the box under Show and select All add-ons.

You will probably have a variety of common ActiveX controls installed system-wide, such as Adobe’s Shockwave Flash, Microsoft Silverlight, and Windows Media Player. You can disable these from here, but you’ll have to uninstall them from the Control Panel if you want to remove them from your system.

internet-explorer-view-all-installed-activex-controls

To display ActiveX controls that you’ve downloaded via the browser, select Downloaded controls in the Show box.

view-downloaded-activex-controls

To uninstall a control you’ve downloaded, double-click it and click the Remove button in the More information window.

uninstall-activex-control-in-internet-explorer


In summary, ActiveX controls are dangerous and you should only install them if you need to do so and trust the source.

Sure, install the Flash Player ActiveX control — but if you’re browsing the web an a website wants to install an ActiveX control, you should probably decline the offer. Even if you do opt to install an ActiveX control from a trusted source, you should probably remove it when it’s no longer necessary to reduce your attack surface and help secure your computer.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 05/5/13

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!