I received a question from subscriber and friend Ralph Campbell, who asked:
A number of times I have seen you refer disparagingly of “Active-x controls”.
I have seen downloads that require Active X to run properly. I have read the definition of the program, but, I guess I am just dense. What is this thing, and why do you consider it so insidious?
Admittedly, I’m technical-challenged, but can this program be explained?
What does one do as an alternative, if the program you want to download, requires Active-X to run?
Active-X controls are downloadable programs that have full capabilities to do anything on your computer. I’m not sure why Microsoft chose such the innocuous word "control" for a program that had no security constraints imposed upon it.
Microsoft came up with this no-security idea back when they looked at the Internet through MSN-colored glasses shaped like butterflies. Unfortunately, the Internet is not a friendly place, so the idea of Internet Explorer downloading, installing, and running a program — just because you went to a web site — was so foolish as to be clueless.
And, yet, that’s where Internet Explorer users have been until Windows XP Service Pack 2. Of course, anyone running I.E. on Win98, WinMe, Windows 2000 or even XP SP1, still has the same problem — automatic downloading of a program from a web site, just because you went there.
That’s the way many of the adware, spywarae and trojans get into computers. Usually, the first thing downloaded and installed is a "downloader" that calls home and downloads everything else the slime wanted to give you.
My first choice to solve the problem, which avoids the problem completely, is to use Firefox or Opera for web surfing except for Microsoft’s own site.
Get Firefox as part of the free Google Pack of software
Although I don’t like to do it, sometimes I’ll use Internet Explorer to visit a site other than Microsoft’s. If I happen to hit a site that wants download an Active-X program (and unfortunately, some Google Adsense ads want to do Active-X if you’re using I.E.) with Internet Explorer 6 and XP SP2, my choice is “No!” to the Active-X installer.
Then, if the site doesn’t work properly, I just close IE and then open it and go back to the site. This time, if you really trust the site, you can say yes.
One of the more “effective” scams last year involved people in Brazil. They visited a web site, the Active-X control added an entry to their Windows “Hosts” file, which is a way to predefine the IP address for a site — and then I.E. won’t even try to check the real Domain Name Servers. The result, a lot of people heading to a large Brazilian bank ended up at a fake, entered their ID and password, and were told “come back later.” Unfortunately, later they back account was empty.
Too much capability + too much automation + too much “user-friendliness” = huge security hole
That is, Active-X.
Use Firefox. Use Opera. Only use IE at microsoft.com. You’ll be a lot happier in the long run.