ActiveX is a powerful technology that enables rich interactions within Microsoft 365 applications, but its deep access to system resources also increases security risks.
Starting this month, the Windows versions of Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Visio will have a new default configuration for ActiveX controls: Disable all controls without notification.
↫ Zaeem Patel at the Microsoft 365 Insider Blog
Be honest: did any of you know ActiveX was still a thing? Heck, when was the last time you even thought of ActiveX? This technology acted a replacement for Windows’ COM and OLE 2.0, and was used to make controls in a whole slew of Microsoft applications. ActiveX controls from one application could also be embedded into another, like showing a toolbar from Word inside an image editor.
ActiveX has several major downsides, the two biggest of which are its relative lack of portability, and most of all, its atrocious security record. I’m genuinely surprised it’s taken them this long to actively, fully disable the technology by default.
Is there an alternative?
There are still many things you could do with OLE that dont have modern alternatives. Copying a graph from Excel into Flash and being able to “break apart” the graph to animate it, getting vector shapes and editable text.
Dont worry any word document can break apart still if you simply move a fixed object like a vector graphic or an image. Good lord i Miss GoBe Productive, where you could move objects in real time and the text aligned accordingly. It was a publishing suite to advanced for this world.
OLE is good and all (and I wish it existed outside Windows), but who in their right mind thought that allowing websites to download ActiveX components (which are native executables) to the user’s computer was a good idea? Did someone at Microsoft ever think there were some security issues with that?
In your example, if Flash Player wants to support parsing Excel graphs, then it should bundle the necessary components to do, or failing that, the user can install the components manually, a website shouldn’t be able to install or run ActiveX components on the user’s computer.
One of the reasons IE was universally hated was legacy baggage like ActiveX.
I think IE was also hated by the HTML purists, since they did not support the “‘layer'” tag used in almost every browser and instead used “diverse” div tag. Kinda like putting everything in a trash pile and then sort it out, instead of using the clearly define boxes to use for your trash.
There were lots of things to hate on IE, from HTML non-compliance to BHOs (that IE could not uninstall and you had to rely on the BHO to be a good citizen to create an entry in add/remove programs and provide an uninstaller) to ActiveX, but ActiveX was by far the most user-hostile “feature” and the one with the most security implications. One of the things you had to do when teaching a family member to use Windows XP (before Firefox was a viable choice) was to tell them to always click “No” on those ActiveX download pop-ups.
Even the pop-up dialog was highly misleading since it implied VeriSign had vetted the ActiveX component (in reality, not so much, it was more like a pinky-promise the component author made to VeriSign and of questionable enforceability especially outside the US).
Something like a graph could be generated as a vector object in a standard format (eg SVG) and broken down into its component parts for manipulation …
In terms of security you just have to consider microsoft’s origins – standalone single user systems. Most of their security problems stem from legacy applications developed for this model and then shoehorned into a multi user networked environment.
An OLE object is more than an SVG drawing of an object. For example, an OLE object of a chart contains all the properties and data of the chart as they were on the application that created it. This means the application you paste it to can do things to the chart like animate the bars of a bar chart, present a window to change the legend, even change the numbers and have the bars adjusted accordingly that you can’t do with an SVG drawing of a chart. It’s a neat solution if you keep it to a set of well-known object types, for example the ones of Microsoft Office. But downloading OLE handlers from random websites (which are native executables without sandboxing) aka ActiveX? What were they thinking?
Also, ActiveX is a technology developed for IE, it was built with networked environments in mind, so allow me to reiterate the “What were they thinking?” bit.
kurkosdr,
I don’t think many people know about OLE. It’s more than embedding a static representation, it’s a legitimate interactive source inside of a new host document. This was such a neat idea but outside of the MS office ecosystem it hasn’t really caught on. It would be neat to have something akin to a PDF format that could do OLE, but I think a big barrier to this is that it’s so specific to microsoft software that it’s basically impossible to make the format portable.
ActiveX was a natural evolution of OLE. Extremely powerful in VB applications. However security was hugely problematic. Not having them be sandboxed was a huge failure on microsoft’s part.
Now can they also disable VBS by default? I should be able to “open a document for editing” without running any VBS nastiness that may come with it. Just hide the option to run embedded VBS in the preferences for those who really want to have elaborately animated PowerPoint decks and Word docs and don’t care about the security risks.
ActiveX is a set of COM interfaces, just like OLE 2.0 is also a set of COM interfaces, it can hardly be a replacement when it depends on the technology to exist in first place.
A replacement are the .NET AddIns, and now the new AddIn model based on Web technologies.