Introduced in 1996, Internet Explorer’s ActiveX controls were a bad idea for the web. They caused serious security problems and helped cement the dominance of Internet Explorer on Windows, which led to the pre-Firefox stagnation of the web.
What Were ActiveX Controls?
ActiveX controls are a type of program that can be embedded in other applications. Microsoft used them for a variety of purposes—for example, you could embed ActiveX controls in Microsoft Office documents. However, here, we’re focusing on ActiveX for the web. Starting with Internet Explorer 3.0 in 1996, Microsoft let web developers embed ActiveX controls in their web pages.
Back then, when you visited a web page, Internet Explorer would prompt you to download and run any ActiveX controls that the web page specified.
Popular Internet Explorer plug-ins like Adobe Flash, Adobe Shockwave, RealPlayer, Apple QuickTime, and Windows Media Player were implemented using ActiveX controls.
Security Was a Problem from the Start
The ’90s were a different time, which also brought us dangerous macros in Office documents. Originally, ActiveX controls were like any other program on your computer. When you launched an ActiveX control, it had full access to everything on your computer.
In other words, you might visit a web page in Internet Explorer and see a prompt stating that the web page wanted to run a game or other program. If you agreed, ActiveX control would be able to do anything it wanted with all the files and programs on your computer. It’s easy to see how this was ideal for malware.
This was in stark contrast to Sun’s Java technology. At the time, Java was also used to run programs on web pages inside web browsers. However, Java attempted to limit what these programs could do through the use of a sandbox. Java in the web browser ultimately had a long history of security flaws—but at least Java was trying to limit what applications could do.
A CNET article from 1997 captures Microsoft’s attitude at the time:
“While the Java sandbox enforces a high degree of security, it does not let users download and run exciting multimedia games or other full-featured programs on their computers,” a statement on Microsoft’s security site reads. “As a result, users may want to download code that has full access to their computers’ resources.”
The article goes on to explain that Microsoft included an “accountability” system named Authenticode. Software developers could choose to stamp their ActiveX controls with a digital signature, but it wasn’t mandatory. Developers who created malicious ActiveX controls could be tracked down more easily—if they chose to sign their controls.
With Microsoft initially relying on the honor system, it’s easy to see how ActiveX became a popular way to deliver malware and spyware to Internet Explorer users.
ActiveX Was Designed for the Old Web
There was a time when web technologies weren’t very powerful. If you wanted something more advanced than text and images—even if you just wanted to embed a video in a web page—you needed some sort of browser plug-in.
Many organizations turned to ActiveX controls to add functionality to their websites. Many businesses used ActiveX controls internally, too, to quickly deliver programs to their business PCs. When you accessed one of these web pages with Internet Explorer, it would prompt you to download an ActiveX control and you’d be running the program.
Nice and easy—too easy. Perhaps that would fly on a company’s internal network (intranet) where everything was trustworthy. But on the untamed web, this caused a lot of problems.
ActiveX Was a Security Mess
Conceptually, ActiveX had two big security problems. First, a malicious website could prompt you to install a malicious ActiveX control, and it was very easy for Internet Explorer users to agree to the prompt and install it.
Second, a bug in a legitimate ActiveX control could be a problem. If you had an outdated version of Adobe Flash installed, for example, a malicious website could take advantage of that and gain access to your entire computer—since ActiveX controls like Flash had access to your entire computer.
This was a big deal, really, since ActiveX controls often didn’t have automatic update systems.
Over time, Microsoft kept tightening the security settings and adding extra protection like “Protected Mode” and “Enhanced Protected Mode.” For example, Internet Explorer has a built-in list of outdated ActiveX controls that it refuses to load. Internet Explorer provides additional warnings before downloading and loading ActiveX controls. Other security settings were introduced that let ActiveX control creators restrict ActiveX controls to only run on certain websites, for example.
Case in point: Microsoft’s website once required an Akamai “Download Manager” ActiveX control to download certain files. This Download Manager required full access to your entire computer, and of course, it only ran in Internet Explorer. Unsurprisingly, this Download Manager program had its own security vulnerabilities. Does that really sound like a good solution for downloading files instead of just relying on your web browser’s built-in file downloader?
ActiveX Controls Weren’t Cross-Platform
ActiveX was a Microsoft technology that ran best in Internet Explorer on Windows. There were some plug-ins that added support to competing browsers, like Netscape Navigator (the ancestor of Mozilla Firefox), but it was really all about Internet Explorer.
Technically, ActiveX was cross-platform. Microsoft added ActiveX support to Internet Explorer for Mac. However, unlike with Java (which was cross-platform), ActiveX controls written for Windows would not work on a Mac. Developers would have to create ActiveX controls for the Mac.
For example, South Korea standardized on an ActiveX control that was required to access secure financial and government websites back in the ’90s. It was only fully shut down in 2020, and dependency on ActiveX forced people to use that ancient, outdated technology for a long time. As the Washington Post once wrote, “South Korea [was] stuck with Internet Explorer for online shopping” in 2013. The article describes how Mac users had to rely on desktop computers in their offices, internet cafes, old computers, or Boot Camp to make purchases online.
Such situations played out in similar ways in other places: Companies that standardized on ActiveX for delivering internal applications were stuck depending on Internet Explorer on Windows until they left ActiveX behind.
How the Modern Web Is Better
From a security perspective, the modern web is much better. When you load a web page, your web browser loads and runs that web page in its own isolated sandbox. The web browser doesn’t rely on ActiveX, Java, Flash, or any other type of third-party program that runs part of the web page.
There’s no way for a website to deliver code that gets full access to everything on your computer—not without downloading an EXE file that runs entirely outside the browser on Windows, for example.
Your web browser automatically updates itself, so there’s no risk of ancient code sitting around and remaining accessible to web pages without getting security patches—as there was with ActiveX.
Before it was axed completely in favor of web technologies at the end of 2020, even Flash content was more secure than ActiveX. Google Chrome, for example, ran Flash in a sandbox. A malicious Flash applet would have to use a flaw to escape the sandbox in Adobe Flash itself, and then use another flaw to escape the plug-in sandbox in Google Chrome to get full access to the computer.
And of course, the modern web is cross-platform. You can use whatever browser you choose on whatever platform you like. You’re not stuck using Internet Explorer on Windows because the websites you use require an ActiveX control that only works on Windows in that one browser.
And sure, most browser extensions that you install have access to everything you do in your web browser—but at least they don’t have access to your entire computer.
ActiveX Controls on Windows 10
As of 2021, ActiveX controls are still supported on modern versions of Windows 10. You have to use the legacy Internet Explorer 11 browser, however—Microsoft Edge does not support ActiveX controls.
Some businesses and other organizations are still using ActiveX controls today, so Microsoft has not removed support for it yet.