{"id":201216,"date":"2021-03-12T09:40:00","date_gmt":"2021-03-12T06:40:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/remembering-activex-controls-the-webs-biggest-mistake\/"},"modified":"2021-03-12T09:40:00","modified_gmt":"2021-03-12T06:40:00","slug":"remembering-activex-controls-the-webs-biggest-mistake","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/remembering-activex-controls-the-webs-biggest-mistake\/","title":{"rendered":"#Remembering ActiveX Controls, the Web\u2019s Biggest Mistake"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a293e493c065\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a293e493c065\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/remembering-activex-controls-the-webs-biggest-mistake\/#What_Were_ActiveX_Controls\" >What Were ActiveX Controls?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/remembering-activex-controls-the-webs-biggest-mistake\/#Security_Was_a_Problem_from_the_Start\" >Security Was a Problem from the Start<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/remembering-activex-controls-the-webs-biggest-mistake\/#ActiveX_Was_Designed_for_the_Old_Web\" >ActiveX Was Designed for the Old Web<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/remembering-activex-controls-the-webs-biggest-mistake\/#ActiveX_Was_a_Security_Mess\" >ActiveX Was a Security Mess<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/remembering-activex-controls-the-webs-biggest-mistake\/#ActiveX_Controls_Werent_Cross-Platform\" >ActiveX Controls Weren\u2019t Cross-Platform<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/remembering-activex-controls-the-webs-biggest-mistake\/#How_the_Modern_Web_Is_Better\" >How the Modern Web Is Better<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/remembering-activex-controls-the-webs-biggest-mistake\/#ActiveX_Controls_on_Windows_10\" >ActiveX Controls on Windows 10<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Remembering ActiveX Controls, the Web\u2019s Biggest Mistake&#8221;<\/strong><\/p>\n<div>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-436611 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2019\/08\/img_5d4dde835b941.png\" alt=\"Internet Explorer shortcut on a Windows 10 desktop.\" width=\"650\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Introduced in 1996, Internet Explorer\u2019s ActiveX controls were a bad idea for the web. They caused serious security problems and helped cement the dominance of Internet Explorer on Windows, which led to the pre-Firefox stagnation of the web.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"What_Were_ActiveX_Controls\"><\/span>What Were ActiveX Controls?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>ActiveX controls are a type of program that can be embedded in other <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lications. Microsoft used them for a variety of purposes\u2014for example, you could embed ActiveX controls in Microsoft Office documents. However, here, we\u2019re focusing on ActiveX for the web. Starting with Internet Explorer 3.0 in 1996, Microsoft let web developers embed ActiveX controls in their web pages.<\/p>\n<p>Back then, when you visited a web page, Internet Explorer would prompt you to download and run any ActiveX controls that the web page specified.<\/p>\n<p>Popular Internet Explorer plug-ins like Adobe Flash, Adobe Shockwave, RealPlayer, Apple QuickTime, and Windows <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Media<\/a> Player were implemented using ActiveX controls.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-717019 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/prompt-to-install-activex-in-ie-11.png\" alt=\"Internet Explorer 11's ActiveX prompt on Windows 10.\" width=\"650\" height=\"299\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p><strong>RELATED:<\/strong> <strong><em>What ActiveX Controls Are and Why They&#8217;re Dangerous<\/em><\/strong><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Security_Was_a_Problem_from_the_Start\"><\/span>Security Was a Problem from the Start<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The \u201990s were a different time, which also brought us\u00a0dangerous macros in Office documents. Originally, ActiveX controls were like any other program on your computer. When you launched an ActiveX control, it had full access to everything on your computer.<\/p>\n<p>In other words, you might visit a web page in Internet Explorer and see a prompt stating that the web page wanted to run a <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/game\/\" data-internallinksmanager029f6b8e52c=\"7\" title=\"Game\" target=\"_blank\" rel=\"noopener\">game<\/a> or other program. If you agreed, ActiveX control would be able to do anything it wanted with all the files and programs on your computer. It\u2019s easy to see how this was ideal for malware.<\/p>\n<p>This was in stark contrast to Sun\u2019s Java <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a>. At the time, Java was also used to run programs on web pages inside web browsers. However, Java attempted to limit what these programs could do through the use of a sandbox. Java in the web browser ultimately had a long history of security flaws\u2014but at least Java was trying to limit what applications could do.<\/p>\n<p>A CNET article <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cnet.com\/news\/actively-defending-activex\/\">from 1997<\/a> captures Microsoft\u2019s attitude at the time:<\/p>\n<blockquote><p>\u201cWhile the Java sandbox enforces a high degree of security, it does not let users download and run exciting multimedia games or other full-featured programs on their computers,\u201d a statement on Microsoft\u2019s security site reads. \u201cAs a result, users may want to download code that has full access to their computers\u2019 resources.\u201d<\/p>\n<\/blockquote>\n<p>The article goes on to explain that Microsoft included an \u201caccountability\u201d system named Authenticode. Software developers could choose to stamp their ActiveX controls with a digital signature, but it wasn\u2019t mandatory. Developers who created malicious ActiveX controls could be tracked down more easily\u2014if they chose to sign their controls.<\/p>\n<p>With Microsoft initially relying on the honor system, it\u2019s easy to see how ActiveX became a popular way to deliver malware and spyware to Internet Explorer users.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>Why Do So Many Geeks Hate Internet Explorer?<\/em><\/strong><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"ActiveX_Was_Designed_for_the_Old_Web\"><\/span>ActiveX Was Designed for the Old Web<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There was a time when web technologies weren\u2019t very powerful. If you wanted something more advanced than text and images\u2014even if you just wanted to embed a video in a web page\u2014you needed some sort of browser plug-in.<\/p>\n<p>ActiveX was designed for a world where you couldn\u2019t create complex, full-featured applications using HTML, JavaScript, and other modern technologies, as you can today.<\/p>\n<p>Many organizations turned to ActiveX controls to add functionality to their websites. Many businesses used ActiveX controls internally, too, to quickly deliver programs to their business PCs. When you accessed one of these web pages with Internet Explorer, it would prompt you to download an ActiveX control and you\u2019d be running the program.<\/p>\n<p>Nice and easy\u2014too easy. Perhaps that would fly on a company\u2019s internal network (intranet) where everything was trustworthy. But on the untamed web, this caused a lot of problems.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"ActiveX_Was_a_Security_Mess\"><\/span>ActiveX Was a Security Mess<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Conceptually, ActiveX had two big security problems. First, a malicious website could prompt you to install a malicious ActiveX control, and it was very easy for Internet Explorer users to agree to the prompt and install it.<\/p>\n<p>Second, a bug in a legitimate ActiveX control could be a problem. If you had an outdated version of Adobe Flash installed, for example, a malicious website could take advantage of that and gain access to your entire computer\u2014since ActiveX controls like Flash had access to your entire computer.<\/p>\n<p>This was a big deal, really, since ActiveX controls often didn\u2019t have automatic update systems.<\/p>\n<p>Over time, Microsoft kept tightening the security settings and adding extra protection like \u201cProtected Mode\u201d and \u201cEnhanced Protected Mode.\u201d For example, Internet Explorer has a built-in <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.microsoft.com\/en-us\/internet-explorer\/ie11-deploy-guide\/out-of-date-activex-control-blocking\">list of outdated ActiveX controls<\/a>\u00a0that it refuses to load. Internet Explorer provides additional warnings before downloading and loading ActiveX controls. Other security settings were introduced that let ActiveX control creators restrict ActiveX controls to only run on certain websites, for example.<\/p>\n<p>Case in point: Microsoft\u2019s website once required an Akamai \u201cDownload Manager\u201d ActiveX control to download certain files. This Download Manager required full access to your entire computer, and of course, it only ran in Internet Explorer. Unsurprisingly, this Download Manager program had <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-6433\/product_id-10878\/Akamai-Technologies-Download-Manager.html\">its own security vulnerabilities<\/a>. Does that really sound like a good solution for downloading files instead of just relying on your web browser\u2019s built-in file downloader?<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"activex-protected-mode-security-warning\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2013\/05\/activex-protected-mode-security-warning.png\" alt=\"An Internet Explorer security warning\" width=\"650\" height=\"405\" border=\"0\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"ActiveX_Controls_Werent_Cross-Platform\"><\/span>ActiveX Controls Weren\u2019t Cross-Platform<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>ActiveX was a Microsoft technology that ran best in Internet Explorer on Windows. There were some plug-ins that added support to competing browsers, like Netscape Navigator (the ancestor of Mozilla Firefox), but it was really all about Internet Explorer.<\/p>\n<p>Technically, ActiveX was cross-platform. Microsoft added ActiveX support to Internet Explorer for Mac. However, unlike with Java (which was cross-platform), ActiveX controls written for Windows would not work on a Mac. Developers would have to create ActiveX controls for the Mac.<\/p>\n<p>For example, South Korea standardized on an ActiveX control that was required to access secure financial and government websites back in the \u201990s. It was only fully <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/12\/10\/south_korea_activex_certs_dead\/\">shut down in 2020<\/a>, and dependency on ActiveX forced people to use that ancient, outdated technology for a long time. As the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.washingtonpost.com\/world\/asia_pacific\/due-to-security-law-south-korea-is-stuck-with-internet-explorer-for-online-shopping\/2013\/11\/03\/ffd2528a-3eff-11e3-b028-de922d7a3f47_story.html\">Washington Post<\/a> once wrote, \u201cSouth Korea [was] stuck with Internet Explorer for online shopping\u201d in 2013. The article describes how Mac users had to rely on desktop computers in their offices, internet cafes, old computers, or Boot Camp to make purchases online.<\/p>\n<p>Such situations played out in similar ways in other places: Companies that standardized on ActiveX for delivering internal applications were stuck depending on Internet Explorer on Windows until they left ActiveX behind.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_the_Modern_Web_Is_Better\"><\/span>How the Modern Web Is Better<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>From a security perspective, the modern web is much better. When you load a web page, your web browser loads and runs that web page in its own isolated sandbox. The web browser doesn\u2019t rely on ActiveX, Java, Flash, or any other type of third-party program that runs part of the web page.<\/p>\n<p>There\u2019s no way for a website to deliver code that gets full access to everything on your computer\u2014not without downloading an EXE file that runs entirely outside the browser on Windows, for example.<\/p>\n<p>Your web browser automatically updates itself, so there\u2019s no risk of ancient code sitting around and remaining accessible to web pages without getting security patches\u2014as there was with ActiveX.<\/p>\n<p>Before it was axed completely in favor of web technologies at the end of 2020, even Flash content was more secure than ActiveX. Google Chrome, for example, ran Flash in a sandbox. A malicious Flash applet would have to use a flaw to escape the sandbox in Adobe Flash itself, and then use another flaw to escape the plug-in sandbox in Google Chrome to get full access to the computer.<\/p>\n<p>And of course, the modern web is cross-platform. You can use whatever browser you choose on whatever platform you like. You\u2019re not stuck using Internet Explorer on Windows because the websites you use require an ActiveX control that only works on Windows in that one browser.<\/p>\n<p>And sure, most browser extensions that you install have access to everything you do in your web browser\u2014but at least they don\u2019t have access to your entire computer.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>Did You Know Browser Extensions Are Looking at Your Bank Account?<\/em><\/strong><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"ActiveX_Controls_on_Windows_10\"><\/span>ActiveX Controls on Windows 10<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As of 2021, ActiveX controls are still supported on modern versions of Windows 10. You have to use the legacy Internet Explorer 11 browser, however\u2014Microsoft Edge does not support ActiveX controls.<\/p>\n<p>Some businesses and other organizations are still using ActiveX controls today, so Microsoft has not removed support for it yet.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>Adobe Flash is Dead:\u00a0Here&#8217;s What That Means<\/em><\/strong><\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/717016\/remembering-activex-controls-the-webs-biggest-mistake\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Remembering ActiveX Controls, the Web\u2019s Biggest Mistake&#8221; Introduced in 1996, Internet Explorer\u2019s ActiveX controls were a bad idea for the web. They caused serious security problems and helped cement the dominance of Internet Explorer on Windows, which led to the pre-Firefox stagnation of the web. What Were ActiveX Controls? ActiveX controls are a type of&#8230;<\/p>\n","protected":false},"author":1,"featured_media":201217,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2019\/08\/img_5d4dde835b941.png?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-201216","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/201216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=201216"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/201216\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/201217"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=201216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=201216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=201216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}