How-To Geek

How to Help Prevent Drive-By Viruses Using ActiveX Filtering in IE9

Anybody who has been around the internet for a while knows about ActiveX controls and their historical security problems. Here’s how to use ActiveX filtering in IE9 to prevent being hijacked by a virus while browsing.

What Is An ActiveX Control?

ActiveX is a standard dreamed up by Microsoft so that you can make use of the same code across multiple programs without “re-inventing the wheel” as developers like to call it. ActiveX Controls are an extension on Microsoft’s COM (Component Object Model), which allows for programs to interoperate with each other, so an ActiveX Control that is programmed in C# can talk to other ActiveX Controls that are programmed in C++.

How is this used in practice? For instance, Internet Explorer in its default installation state cannot play flash videos, but with an ActiveX control from Adobe, it can. As you can see ActiveX controls add more functionality to programs.

So What Is Wrong With That?

You might by now be thinking that ActiveX Controls are really helpful, and they are. The problem is that third-party plugins often contain security risks. In Internet Explorer, ActiveX controls can be downloaded and executed in the background and pose a risk of you being infected, via drive-by attack where you go to a website that exploits a security hole.

How Can I Protect Myself From This?

Internet Explorer 9 brought along a feature called ActiveX Filtering, that allows a whitelist style protection scheme. When enabled NO ActiveX Controls are allowed to run, then when you go to a site that requires ActiveX Controls, if you trust the site you can add them to the whitelist. Only websites on the list will be able to run ActiveX Controls.

By default ActiveX Control filtering is disabled in Internet Explorer 9, thus allowing any web page with an ActiveX Control to execute it. To enable ActiveX Filtering go to Tools Menu>Safety and then select the ActiveX Filtering Option.

Now when you go to a website that tries to run an ActiveX Control it won’t be allowed to as you can see below:

To add website to the whitelist click on the Filtered button, that is the little blue circle, and click on the Turn off ActiveX Filtering button. This will add the website to the whitelist so that it can run ActiveX Controls.

You will now be able to do stuff that requires ActiveX Controls on that website.

Taylor Gibb is a Microsoft MVP and all round geek, he loves everything from Windows 8 to Windows Server 2012 and even C# and PowerShell. You can also follow him on Google+

  • Published 09/5/11

Comments (16)

  1. Hogar the Wise

    Very nice. I didnt know about active x alot, now I do.

  2. kevmoney

    Is this like the NoScript for IE?

  3. Anand Tulpule

    Added to my KB.Nice share.Thank You.

  4. Morely Dotes

    A better solution is to never use IE except for Windows Updates, or to download a better browser.

  5. chuckles

    @Morely: Windows 7 doesn’t use IE for Windows Updates, and IE9 doesn’t run on previous versions of Windows. IE9 is as good as any other browser out there.

  6. TMK

    Chuckles, doesn’t IE9 also run on Vista?

  7. sml156

    Dont you have to download a bunch off addons to make the other browsers safer, seems to me if you want a safe browser and are new to computers it would be better to have it safe the minuit you install it and not have to go threw a learing curve to make it safe

  8. Nano

    Try Cocoon with firefox. Cocoon add-on is only compatible with Firefox versions 3.6.13 and later, as well as 4.0, 5.0, and 6.0 for Mac, PC and Linux. The same version of Cocoon will work on these versions of Firefox. Support for Internet Explorer is in development.
    Its awesome for onlone privacy.

  9. Tekkie

    IE9 does work on Vista – I’m using it now! I’ve never had any serious problem w/any IE version – I regularly clear out the cookies, cache, browsing history and temp files; reset it back to default, if absolutely necessary, and always have another browser hanging around… just in case! Thanks for the article – now I’m also going to filter the Active X!

  10. KCP

    Or, you can use Firefox 6.

    Drive By Viruses stopped.

  11. MAS

    i use IE 8 is there any filtering option in IE 8 regarding active x????
    and this post is really help full for me to understand Active x now i have good hand on my web surfing Thanks.

  12. kooberfacer

    HAHA!Using a different browser wont make the least bit of difference to a determined attacker.Ive used IE for well over 12 years and i havent had any issues.When i did it was my own fault not IE.When you know your system ,you can defend it.

  13. Morely Dotes

    For those who don’t get the point: ActiveX is vulnerability that exists *only* in Internet Explorer. Yes, other browsers have security holes, too, but none of them are specifically designed to allow Web sites to run programs locally on your PC, like IE is.

    And yes, Windows 7 doesn’t use IE for Windows Updates. Older version of Windows (including Server versions) do, so the advice stands.

    Ah, yes, and one final note: HostsFileUpdater (google it, download from C|net) should be in your Startup folder and used often, to block known malicious Web sites. You can’t be too paranoid; it’s not possible.

  14. CK

    In general I feel you can’t talk in absolute terms about security, only relative ones. In my opinion, ‘Secure’ is a set of decisions & practices far more than it is a state of being. To make any browsing ‘Safer’ you need to take into account the user’s behaviors & needs. Any time I see someone use the terms ‘better’ & ‘worse’ without following up what their reasoning & circumstances are behind it, I don’t think it really helps the conversation one bit. It spreads assumptions instead of separating facts from opinions.

  15. Jeremy

    Why would you use IE at all? Does it block scripting on a per-site basis? Can you block ad services? Can you control cookies with (some) ease? I don’t think so. Firefox and Chrome are the only game in town (with Firefox in the lead).

  16. Hyx

    @Jeremy – You can white/blacklist sites for scripting, use Tracking Protection to block ads (HTG needs to do an article on this, superbly effective and very easy to set up) and as for the controlling cookies I use CCleaner to delete my cookies which can indentify cookies for popular websites (hotmail etc) and not delete them. I prefer to clear everything every time and NEVER keep the ‘keep me logged in/remember me’ boxes ticked.

    Also, IE doesn’t have millions of addons (chrome is suffering with addons exploiting the browser at the moment), nor does it have the excessive memory leaks FF users have to cope with. There are pros and cons on every side.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!