Use of ActiveX Controls

• ActiveX controls are designed to allow an application within a web page to run correctly in the browser. The user is asked to download the "controls" for the ActiveX software/application, which are then saved in the computer's registry. When the web browser encounters a page with embedded ActiveX, it scans the "CLASSID" of the web page to determine whether the system already has ActiveX controls for that application installed. If there are no ActiveX controls for the current web page, ActiveX controls are enabled and downloaded. All ActiveX controls remain in the computer's registry unless they are removed manually by the user.
  
  

Malicious Software

• ActiveX codes are written in VBScript and, unlike other applications such as Java, can be designed with malicious intent. When a user encounters an ActiveX application or code and is requested to download the ActiveX control, a malicious program such as a Trojan or worm virus could be downloaded to the computer along with the ActiveX control. ActiveX controls are stored in the computer's registry, a vulnerable area of the computer from which it is notoriously hard to remove virus software. Malicious software downloaded by untrustworthy ActiveX controls can be run from the registry without the user's knowledge.
  
  

Development of the "Signature"

• Because malicious software can easily be downloaded when an ActiveX control is enabled, Microsoft developed the "signed ActiveX control." Programmers are required to sign ActiveX controls and ActiveX applications with an electronic signature, which is used by the browser to confirm the origin and security of the application. If the signed ActiveX control passes security protocols and is verified by the browser, the control is automatically downloaded; if the ActiveX control is unsigned, the user is requested to "enable" or "disable" the control at her discretion.
  
  

Unsigned ActiveX Controls

• Not all unsigned ActiveX controls contain malicious software. However, if the web browser cannot verify the credentials, the user is given the option to enable the control at his own discretion. The browser first attempts to enable "object safety," by verifying the credentials and electronic signature and checking the parameters of the ActiveX control to ensure they are stable. The user is then given the option to disable or enable unsafe ActiveX controls that do not pass security checks; if the user disables the ActiveX control, then the control is not loaded to parameters and is not scripted. If the user overrides the object safety and enables the ActiveX control, the control is enabled to parameters, which initialize all scripts. Unsigned ActiveX controls are still downloaded to the registry when accepted by the user, and do not need to be accepted again.