Internet Explorer’s ActiveX controls, introduced in 1996, were a bad idea for the web. They caused serious security vulnerabilities and helped cement Internet Explorer’s dominance over Windows, leading to the web’s stagnation before Firefox.
What Were ActiveX Controls?
ActiveX controls are a type of program that can be embedded in other applications. Microsoft has used them for a variety of purposes ̵
Then when you visited a web page, Internet Explorer asked you to download and run ActiveX controls that specified the web page.
Popular Internet Explorer plug-ins such as Adobe Flash, Adobe Shockwave, RealPlayer, Apple QuickTime and Windows Media Player were implemented using ActiveX controls.
RELATED: What ActiveX Controls Are and Why They Are Dangerous
Security was an issue from the start
The 90s were a different time, which also gave us dangerous macros in Office documents. Originally, ActiveX controls were just like any other program on your computer. When you started an ActiveX control, it had full access to everything on your computer.
In other words, you could visit a web page in Internet Explorer and see a prompt stating that the web page wanted to run a game or another program. If you agreed, ActiveX Control could do whatever it wanted with all the files and programs on your computer. It’s easy to see how this was ideal for malware.
This was in stark contrast to Sun’s Java technology. At the time, Java was also used to run programs on web pages in web browsers. However, Java tried to limit what these programs could do by using a sandbox. Java in the web browser ended up having a long history of security flaws, but at least Java tried to limit the capabilities of applications.
A 1997 CNET article reflects Microsoft’s stance at the time:
“Although the Java sandbox enforces a high degree of security, it does not allow users to download and run exciting multimedia games or other complete programs on their computers,” said a statement on Microsoft’s security site. “Therefore, users may want to download code that has full access to their computer’s resources.”
The article further explains that Microsoft has included a “accountability system” called Authenticode. Software developers could choose to digitally sign their ActiveX controls, but this was not required. Developers who have created malicious ActiveX controls can be more easily detected – if they choose to sign their controls.
Since Microsoft initially relied on the honor system, it is easy to see how ActiveX has become a popular way of delivering malware and spyware to Internet Explorer users.
RELATED: Why do so many geeks hate Internet Explorer?
ActiveX is designed for the old web
There was a time when web technologies weren’t very powerful. If you wanted something more advanced than text and images – even if you just wanted to embed a video in a web page – you needed some sort of browser plugin.
Many organizations turned to ActiveX controls to add functionality to their websites. Many companies also used ActiveX controls internally to quickly deliver programs to their business PCs. When you open one of these web pages with Internet Explorer, you are prompted to download an ActiveX control and run the program.
Fun and easy – too easy. Maybe that would fly on a company’s internal network (intranet) where everything was reliable. But on the untamed web, this caused a lot of trouble.
ActiveX was a security mess
Conceptually, ActiveX had two major security issues. First, a malicious website could ask you to install a malicious ActiveX control, and it was very easy for Internet Explorer users to agree to the prompt and install it.
Second, a bug in a legitimate ActiveX control can be a problem. For example, if you had an outdated version of Adobe Flash installed, a malicious website could take advantage of it and gain access to your entire computer, since ActiveX controls such as Flash could access your entire computer.
This was a really big deal as ActiveX controls often didn’t have automatic update systems.
Over time, Microsoft continued to tighten security settings and add additional protections such as “Protected Mode” and “Enhanced Protected Mode.” For example, Internet Explorer has a built-in list of outdated ActiveX controls that it refuses to load. Internet Explorer provides additional warnings before downloading and loading ActiveX controls. Other security settings have been introduced that allow ActiveX control makers to restrict ActiveX controls to, for example, run only on certain websites.
Example: Microsoft’s website once required an Akamai “Download Manager” ActiveX control to download certain files. This download manager needed full access to your entire computer, and of course it only ran in Internet Explorer. Unsurprisingly, this Download Manager program had its own security vulnerabilities. Does that really sound like a good file download solution instead of relying on your web browser’s built-in file downloader?
ActiveX controls were not cross-platform
ActiveX was a Microsoft technology that worked best in Internet Explorer on Windows. There were some plugins that added support to competing browsers, such as Netscape Navigator (Mozilla Firefox’s ancestor), but it was really all about Internet Explorer.
Technically, ActiveX was cross-platform. Microsoft has added ActiveX support to Internet Explorer for Mac. Unlike Java (which was cross-platform), ActiveX controls written for Windows wouldn’t work on a Mac. Developers should create ActiveX controls for the Mac.
South Korea, for example, standardized on an ActiveX control needed to access secure financial and government websites in the 1990s. It wasn’t fully shut down until 2020, and its reliance on ActiveX forced people to use that old, outdated technology for a long time. As the Washington Post once wrote, “South Korea [was] Stuck with Internet Explorer for Online Shopping ”in 2013. The article describes how Mac users had to rely on desktop computers in their office, Internet cafes, old computers, or Boot Camp to make online purchases.
Such situations played out in similar ways in other places: companies standardized on ActiveX to deliver internal applications continued to rely on Internet Explorer on Windows until they left ActiveX behind.
How the modern web is better
From a security perspective, the modern web is much better. When you load a web page, your web browser loads and that web page runs in its own isolated sandbox. The web browser does not rely on ActiveX, Java, Flash, or any other type of third-party program that executes part of the web page.
There is no way that a website can provide code that gets full access to everything on your computer – not without, say, downloading an EXE file that runs completely outside the browser on Windows.
Your web browser updates itself automatically, so there’s no risk of old code getting stuck and accessible to web pages without getting security patches – like with ActiveX.
Before it was completely phased out in favor of web technologies in late 2020, even Flash content was more secure than ActiveX. For example, Google Chrome ran Flash in a sandbox. A malicious Flash applet should use an error to escape the Adobe Flash sandbox itself, then use another error to escape the plug-in sandbox in Google Chrome to gain full access to the computer.
And of course the modern web is platform independent. You can use any browser you choose on any platform. You are not stuck with Internet Explorer on Windows because the websites you use require an ActiveX control that only works on Windows in that one browser.
And of course most of the browser extensions you install can access everything you do in your web browser, but at least they cannot access your entire computer.
RELATED: Did you know browser extensions look at your bank account?
ActiveX controls on Windows 10
As of 2021, ActiveX controls are still supported on modern versions of Windows 10. You must use the older Internet Explorer 11 browser; Microsoft Edge does not support ActiveX controls.
Some companies and other organizations still use ActiveX controls, so Microsoft hasn’t removed support for them yet.
RELATED: Adobe Flash is Dead: Here’s What That Means