How to Disable ActiveX Controls in Internet Explorer
As a follow up to two separate stories I wrote on vulnerable ActiveX controls affecting high-profile Web sites, here's a quick primer on configuring Internet Explorer to handle ActiveX controls in a safe way. These recommendations come from the US-CERT (Computer Emergency Response Team) and have been modified slightly for IE 7, the most up-to-date version of Microsoft's browser. Start by selecting Tools then Internet Options...  Select the Security tab. The Internet zone is where all sites initially start out. The security settings for this zone apply to all the Web sites that are not listed in the other security zones. US-CERT recommends the High security setting be applied for this zone. By selecting the High security setting, several features including ActiveX, Active scripting and Java will be disabled. With these features disabled, the browser will be more secure. Click the Default Level button and then drag the slider control up to High.  For more fine-grained control over what features are allowed in the zone, click the Custom Level button. Here you can control the specific security options that apply to the current zone. Default values for the High security setting can be selected by choosing High and clicking the Reset button to apply the changes. Ensure that all default settings related to ActiveX Controls are disabled or set to be approved by an Administrator.  |
Comments (5)
So why not just use Firefox since it doesn't use ActiveX? I only use IE for the sites that won't work with firefox, which is mainly banking.
Posted by Ray | February 4, 2008 9:12 PM
Yes, and by blocking all active-x you lose the benefits of software such as Norton 360 which validates you actually have reached the banking site you intended, and not someone's black server.
I would think that to use the Add-ons administration in IE would be a better bet. Set all the ones you don't absolutely need to disabled.
Also: if you disable active-x in the brute mode, then you can't use Windows Update, and receive the Microsoft patches, correct?
I hope you can get good advice on these points, Ryan, and thank you for it.
Regards,
Narr vi
Posted by Narr vi | February 5, 2008 9:41 AM
I just add here, because thought of it, that there is one more Active-X very valuable to leave running on IE, and that is XPL LinkScanner Pro.
Very inexpensive, and it has in less than a month caught and stopped two very real exploits on their way to me.
What kind of sites? Academic and research ones, where I get pdf papers etc. to read!
It is very dangerous out there, even if some of what lurks is 'old' and possibly patched.
The actual performance of XPL is in the connection stream, before the information even reaches the actual browser, another point for it.
Kind regards,
N.
Posted by Narr vi | February 5, 2008 10:17 AM
A good reason to not use Norton Anti virus. Any product that needs IE to perform it's job, is a piece of garbage IMHO.
Posted by Bill | February 6, 2008 11:03 AM
I feel vindicated, at last. I have been saying for as many years as ActiveX has existed "ActiveX technology is the future of virus delivery and industrial espionage". I call it ActiveVirus. I have a security course in which the premise is "Give me a million dollars and a year, and I'll own your network" and say "...and if you enable ActiveX, I'll own you in two weeks" and proceed to explain in detail what I can do if you enable it. I have been told, explicitly, by academic security researchers "We know it's dangerous, but if we come out and say that in public, we lose all credibility, because nobody wants to hear that" (we can't tell the truth because the truth will not make us popular). It is great that someone with clout finally has the guts to say this in public.
Posted by Joseph M. Newcomer | February 14, 2008 11:02 AM