So, you’re a Firefox evangelist and you’re going to preach about the evils of ActiveX:
For years, Mozilla struggled with website compatibility issues because it did not support Microsoft’s ActiveX technology, another major vector for security attacks on users. Not only would it have been a lot of work to reverse engineer and build Mozilla support for ActiveX, it would have opened Mozilla up to some of the worst threats on the Web. It would have been a bad idea. With the upcoming IE 7 (promised almost a year and a half ago) Microsoft says that “allowing ActiveX controls to run in IE should be the exception”. Good idea. And only about 5 years late.
(Clearing throat and doing best Keith Olbermann impersonation here…)
OK, then maybe your webpage shouldn’t include an embedded ActiveX control:
Here’s a snippet of the source code from the page (with angle brackets converted to square brackets and URL broken so I don’t try to force a QuickTime control down my visitors’ throats):
[object codebase=”http: //www.apple.com/qtactivex/qtplugin.cab” width=”480″ classid=”clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B” height=”376″] [emphasis added]
Just sayin’.
Ed Bott 
π
Yeah Ed, but that’s an Apple ActiveX control, not a Microsoft one, so it’s not evil. π
Everyone needs to read this great article about the ActiveX blame game:
http://www.eweek.com/article2/0,1759,1785769,00.asp
I see this everywhere, self proclaimed security experts hyping Firefox by bashing ActiveX in IE. People consistently blame auto-installing malware, which is really due to them not applying security patches as “ActiveX vectored attacks”. I am so tired of it. Asa just shows how unknowledgeable he really is.
ActiveX itself has never even really been the issue; it’s been the way ActiveX controls were allowed to install themselves as root without any oversight. Now that that’s been patched to a high degree of safety, the whole “Firefox is really safer because it doesn’t allow malware to install itself” thing is kind of a strawman argument.
That said, I like the way FF does some things better.
Serdar, let me guess you use Linux/Unix since you use the term “Root”. You can download an executable in Firefox that installs to “Root” in Windows. It is irrelevant, the real problem are the phishing attacks that allow it to happen in the first place, since you have to click on Yes to install the ActiveX control. Sites simply trick users with phishing style ActiveX control installation windows. You could easily set one up to do the same on Firefox and get the same users to download an infected executable and run it.
That dialog looks a little useless to me. What do I do if I don’t want the activeX control to run? Close the dialog with the little ‘x’ thingny? kill the process?
The dialog is useless, by design.
Correct, the dialog is there specifically because of the Eolas patent lawsuit against Microsoft. To avoid infringing the patent, Microsoft had to create a useless dialog box or status-bar prompt that requires the user to click to “activate” an embedded control. Stupid, but apparently Eolas wasn’t all that concerned about the people who actually use browsers.