I’ve always wondered why ActiveX controls continue to be written. There are cases where you need access to the local machine to provide a useful service, but most things don’t, at least not outside of a sandbox. There will always be security flaws in every type of software, but ActiveX controls seem to be the easiest target for the dark side. Most of my friends and I stopped using Internet Explorer years ago except for a few sites that either require IE (e.g. Outlook Web Mail) or other poorly written sites that won’t even display data unless you’re using IE.

Browsing through my email today I ran across an article on eWeek, ActiveX Under Seige: Facebook, MySpace Image Uploaders Vulnerable that once again highlights the problem. Here is a small excerpt:

“In tandem with the public release of this information, remote code-execution exploits targeting the Aurigma, Facebook, and Yahoo! issues were released. Each issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer),” Kamerling said.

In the absence of patches, Symantec recommends that IE users take “extreme caution” when browsing the Web and ensure that the browser is configured with the highest security settings.

The US-CERT goes a step further, recommending that IE users completely disable ActiveX scripting in the browser.

The article also points you to a helpful guide from US-CERT on Securing Your Web Browser.