Active X Control Security Questions

Posted on 2005-03-23
Medium Priority
Last Modified: 2013-11-18
I have been building my first web based application in vb.net.

It uses the standard HTML controls in addition to:
 PeterBlums datepackage
 the Infragistics Grid and Tabbed Folder control.

All has been going  great but my largest client has a  consultant that has recently raised a security issue regarding active X controls and that they are pose a security risk to the web site. That is all he said know specifics.  While the application is extensive it is my first and I have 0 experience in the security area of web controls so I can respond with confidence. Am I really at risk, I really don't know.

To be honest after doing this for 20 years I feel pretty stupid right now. Can someone help me rebuff this, I really don't know how to respond. I have not focused on the security of the controls but rather the content and functional capability of the web site.  It may be niave but things have been working and at some point I begin to trust that the tools I am using are built by people with far more experience and knowlege in those areas believe they have covered their butts and inturn mine. After all when I buy I hammer from Sears I am not concerned it will explode when I hit the first nail if you know what I mean.

Any help or guidence on this would be greatly appreciated.


Question by:GregWeber
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 10

Expert Comment

ID: 13610658
there are no problems with Active X Controls if you know where they are from and what they do. An active x control has the potentail to pose a secuirty threat if it does something bad to the host PC, this is posible because unlike java applets they have complete unrestricted access to the client PC and the windows API, hence an active x could format a drive for example.

You could make your client happier by getting the active x control signed and if you need to script if from within the HTML get it marked as 'safe for scripting'.

LVL 19

Accepted Solution

RanjeetRain earned 2000 total points
ID: 13611533
That guys is being a "I know it too" newbie. People who know some, but not the whole story.

Granted, ActiveX controls can be a security threat. But they CAN be. They need not necessarily be. If you download an ActiveX control from a site that promises to allow you to downlaod gigs of p0rn free, and if you go ahead and install the control, you might be compromising the security of your PC. But if you are developing a control in house, and you know that you are not coding it to do anything harmful, then rest assured, it wont harm. ActiveX controls are not born criminals. You can use ActiveX controls to commit crime if you so want.

Typically, any ActiveX control that goes beyond general fancy UI design should be signed. As long as there is a signer you know, and you trust you would not be unsafe. The problem could be with 3rd party unsigned control that might try to access your system in unauthorized way.

To turn the tables on the person giving you the lecture, ask him what security threats does he envisage, and note his reactions. I bet he won't have much to say. Any how if he does, post back what he had to say.

Author Comment

ID: 13611838
I appreciate the feed back thus far and hoping for more, i already no more then when i woke up this morning and it is always  a good day when i learn something new
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 10

Expert Comment

ID: 13611934
in a nutshell, if you wrote it and have tested it then they have nothing to worry about, if its on their LAN then their IE settings should allow it.

Author Comment

ID: 13612094
so if it is reputable (ie PeterBlum, Infragistics) the same rules should apply

LVL 19

Expert Comment

ID: 13620338
Not sure about their credentials. Verisign is a very respectable signing authority. THere are a few more worldwide known ones. Try googling around and see if you can find out something about their credentials.

Usually, you should be able to check the credentials stuffed in a control by looking at the property page of the certificate.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question