Browser Security News

What does Microsoft know that we simple users of Internet Explorer don’t? With Internet Explorer 7, Microsoft made some hefty changes to ActiveX controls, turning off a bunch by default and flipping on the security warning switch for many others. If timing means anything, the ActiveX changes are possibly quite important. Today, over at Symantec’s Security Response Weblog, Greg Ahmad reveals startling–and I do mean shocking–increases in ActiveX vulnerabilities. According to Symantec, ActiveX vulnerabilities stayed in the 12- to- 15-a-year range from 2002 to 2005. For 2006, the number of vulnerabilities "reached 50," with 42 in the second half of the year–coincidentally, the same time period Microsoft finished up and released Internet Explorer 7.

"During the first quarter of 2006, three ActiveX vulnerabilities were reported. This was followed by nine in the second quarter, 13 in the third quarter, and 26 in the fourth," Ahmad wrote.

"This rise of vulnerabilities in ActiveX controls can be attributed to a variety of reasons," Ahmad explained. "These include an increasing number of vendors shipping insecure ActiveX controls and the availability of a variety of security testing tools and ActiveX fuzzers that allow researchers and attackers to rapidly find vulnerabilities with relative ease." Microsoft Watch - Security - Way Too ActiveX