Browser Security News

This document describes the changes for how Internet Explorer 7 will reduce the number of ActiveX controls enabled by default with a feature called "ActiveX Opt-In".

This document also describes some of the best practices for developing ActiveX controls intended to run in Internet Explorer. These best practices have been compiled from the Security Development Lifecycle and Software Developers who develop and test ActiveX controls intended for safe use on the Internet.


ActiveX Opt-In - What’s New in IE7 for ActiveX

ActiveX controls are very important to the Internet because they allow developers to enhance Web pages with additional software application features that won’t work in standard HTML Web pages. Web developers use ActiveX controls to add animation, multimedia and other features to their Web sites.

Because ActiveX controls, or any browser extension, add features for Web sites, they also increase the possibility of a security vulnerability. Internet Explorer 7 (IE7) will reduce the number of ActiveX controls available to Web sites on the Internet and thereby reduce the chances of a security vulnerability. IE7 makes it easy to use common sites with important controls but lets users opt-in to using the advanced features that might be exposed by more obscure ActiveX controls.

This IE7 feature is called ActiveX Opt-In. By default, ActiveX Opt-In disables the controls on a user’s machine. When the user encounters a Web page with a disabled ActiveX control, they will see an Information bar with the following text: "This site might require the following ActiveX control: ‘ABC’ from ‘XYZ’. Click here to allow the control to run…" The user can choose to enable the ActiveX control from this Information bar ActiveX Security: Improvements and Best Practices (Windows IETechCol)