>>My daughter simply ignored the updates, because she didn't want to bother asking me to type in a password.

And that's Microsoft's fault?

First off, Vista updates can be configured to install and reboot on a system after a limited number of warnings, and that's the length of rope my daughter gets on her computer.

It should also be pointed out that a machine that is more locked down is less susceptible to anything but remote protocol level attacks. And this is why, presumably, you're using OneCare and other security layers to address the total security package.

ActiveX may have its share of problems, but these problems are somewhat inherent in the desired functionality, so they have to be mitigated even if you pick a new technology that's not ActiveX.

Lastly, everyone scoffs at backwards compatibility when it adversely impacts security or performance, but as soon as Microsoft releases something that lacks such compatibility in the name of security, then every self-proclaimed pundit asks why anyone should use a product that won't work with the vast majority of what's out there today...

If you don't want ActiveX, then turn it off completely, and wait until everyone catches up to you...

I'm running 64-bit Windows with IE-based browsers, and malware is not a major concern for me -- because security is not a one-product or one-technology affair...

-ASB

Joe,
I think you really touched on something that goes so deep into the problems of MS here with Internet Explorer.

Yes, ActiveX is a very unsafe part of IE. But the problem goes far deeper now, and has become very complicated, even for MS to fix it. Also,
ActiveX is another problem in windows email (outlook) as well, buts thats topic for another day.

It started with MS decision to embed IE into the operating system, as a means to give it away (dumping=illegal) in order to kill off Netscape.
For those of you who don't remember the DOJ and that MS was convicted as an monopoly. In fact, MS agrued that IE could not be separated from Windows in those trials. Although, we know know, like everything else MS says, this was not true at the time.

What happened since is that many software developers were encouraged to use parts of IE (mostly IE6) in their programs. So now, many programs sort of piggyback on IE to run.

Which is going make it painful for MS and users, when the EU demands they separate it. This is where I thing its going.

I use Firefox and Opera in Linux, which both are vastly superior to IE. I never never use IE, (even in XP) and anyone who brings in a computer to get viri cleaned out of them, gets told not to use IE or Outlook, the two biggest malware targets on the planet (in windose). In the last year I have only found one site that I have a problem with firefox, and opera runs it just fine.

Use firefox, with a few extensions, it is in another class than IE which is obsolete, a target, and just plain full of bugs.

What SHOULD you do?

Use the mailto:webmaster links on all the sites which want to download and install .COM/.COM+/ActiveX crapware into your OPERATING SYSTEM. Ask them to fix their websites-- So that they don't depend on proprietary, security-destroying crud in order to be seen and used properly.

If these "Software Developers" were so easily convinced to use these proprietary extensions to IE6, they might learn a lesson by spending some time to correct their mistakes-- or seeing a bunch of emails which tell them "your proprietary application isn't compatible with my WC3 compliant graphical browser, GOODBYE."

I have heard that Firefox 2.0 gets to be quite the memory hog. It is supposed to get fixed in Firefox 3.0. However, I personally have had no problems using Firefox 2.0 on my desktop with 2GB RAM nor my laptop with 1GB RAM. I have been using Firefox pretty much exclusively for I'd say 4 years.

I tried going back to IE (IE 7) when I heard some "experts" proclaim IE 7 to be superior. Even if it was superior, which it is not, I can't do it. I hate it and it doesn't work the way I want it to. Also, I am so comfortable and used to my Firefox extensions. To date, I have never taken on a virus or trojan while using Firefox, but I have through IE.

I highly recommend Firefox as browser of choice!

What's the issue Berber?

Is the recent decline in the Microsoft shareprice because by making an offer to buy Yahoo the market finally is realizing that Microsoft has to get help, now that they've been caught trying to steal their way onto the web?
http://www.vcsy.com/press/releases.php?year=2007&month=04&day=20&num=00

The subject of injunction in VCSY v MSFT is an obvious hotspot as we approach the 30 day mark counting down to the end of the mediation period March 7, 2008 as imposed by the court appointed negotiator.

I'm posting to show Microsoft shareholders they have friends like Tom Berber and company.

Never mind Microsoft hasn't been able to show what they've been working at for over a year. Never mind the rest of the software industry is making huge gains in the web-platform arena while Microsoft continues to lag behind in crucial web-platform capabiliites.

Never mind you can't explain to the Microsoft shareholder just how the 744 patent is "too broad". Doesn't look too broad to me. Heck, I can explain just how it's not too broad, but nobody can answer what I say. They just fall back to "VCSY is broke". Yep. That's precisely the argument VCSY will offer the court as a reason for seeking an injunction against .Net.

Microsoft pressure and unfair competition through their infringements has lead to VCSY being broke.

Precisely the situation injunction is intended to remedy.

Our recommendation: Sell VCSY stock. Stock tip: VCSY is at a high sell recommendation. Warning: Do not purchase VCSY stock.

Attention: We have put VCSY on our sell recommendation. Our experts believe this stock although of little (penny stock) or no value, will decrease additionally.

Also, do not purchase shares of VCSY stock at this time. Our experts agree that the purchase of this stock puts you at a great financial risk.

The problem isn't activex alone the problem is when code needs to jump out of the browser sandbox and interact with your operating system.

As for the IE bashers/move to firefox proponents, I find it funny how people quickly accept memoryleaks and other issues. If you don't know what I mean, search for "firefox memory leak".

I think beyond ActiveX as a technology that has problem, the fact that users are being trained to make system-level OS changes in a web browser (ie. Windows Update) is a very bad practice and opens Windows users to lots of social engineering.

Beyond ActiveX alone, programs like Google desktop have their settings control panels controlled through a website hosted by a locally running webserver. Again that trains the habit that system decisions are made in a web browser.

How defensive the M$ Shills get when you say anything bad about IE and suggest folks use a browser that doesn't have as many viral problems, and is just better all the way around. "The problem isn't activeX," come on get real, of course that is the problem. Read the article.

M$ denies any problems with IE unless they finally have to. Using Firefox/2.0.0.11 in Linux, and I have not seen any memory leaks problems, but, there was problems in earlier versions. Using just 256mb of ram, and it works just great as well. At least in Firefox, they do get around to fixing problems, so will MS every fix the activeX problem? Don't hold your breath.

Each release of firefox fixes some problems and adds some features. Some of the memory leaks have already been fixed, and the remaining are supposed to be fixed in version 3. Depending on hardware, there may not be memory leaks on the later versions 2x of Firefox, as for example, I have not noticed any, but did on earlier releases.

Microsofties seem to be so defensive about IE, why? I think its about control. MS wants to use IE to control the internet, which is one of the reasons that they never (until perhaps soon) follow standards. Consider this fact, when you think about them buying Yahoo, for a total 33% on the market share on that day. Minus of course, the folks that leave Yahoo and Yahoo mail to stay away from the evil empire M$.

Re: Firefox memory leaks.
I find that Firefox and Thunderbird both leak memory, though they do seem to behave noticably better on Linux than their Windows versions behave on Windows.
On Fedora Core 5 (in 2007) and Ubuntu 7.10 (this year), I never leave my Firefox sessions up at the end of the day, so any small leaks seem rather inconsequential. I find that restarting Thunderbird once a month is helpful, as it takes about a month for its leaks to affect its performance.
And my Fedora Core 5 system ran 24x7x365 without any power hits and with only one reboot (in June, again, due to an app development issue, and it was quicker to reboot than manually step through the app's recovery process). How long can a Windows system run with no disk fragmentation, no system slowdowns, no crashing, and NO REBOOTS... and be used for company email, documentation, web serving, web surfing, heavy-duty application development, all at the same time each and every working day? A full year? A full 6 months? One entire month? An entire week?
My XP system got creaky after about a week and needed to be rebooted. I never defragmented the drive and saw disk performance get slower and slower. That system is now Ubuntu 7.10 also!
Yeah, it's my fault for never defragmenting the XP file system. But it's also my fault for installing an operating system whose default file system doesn't need to be defragmented. After all, the computer is a tool that is supposed to work for me, and not the other way around!!!

The Linux OS is free if your time has no value.

@scipio:
And it's free if your time is very valuable!

chips says:
Using Firefox/2.0.0.11 in Linux, and I have not seen any memory leaks problems
@chips:
I've only been running Firefox 2 on Ubuntu since the start of 2008, so perhaps they've finally fixed the memory leaks. I'll monitor the latest memory usage of Firefox and Thunderbird and let you know what I find.
Thanks for the tip!

Abandon ActiveX? LOL - it's part of the master plan in a war that's been raging for ten years:

Subject: Excerpts of Tevanian's testimony [long]
Date: Sat, 31 Oct 1998 00:29:26 -0500 (EST)
From: "Eric M. Bennett"
To: Multiple recipients of list AM-INFO
The DOJ has posted Tevanian's testimony. You can get a PDF file of it here:

http://www.usdoj.gov/atr/cases/ms_testimony.htm

Since the PDF file is over 2 megs (it is simply a digitized scan of
documents), I have included some of the more relevant sections here. I
omitted the information about Office and the QT patent lawsuit, since it
didn't seem to contain any information that we have not already heard about.

Here are my excerpts:

"Mr. [Eric] Engstrom [of Microsoft's multimedia division] noted at the meeting that Microsoft's Bill Gates was not interested in an authoring
program because the market for this product was too small. He assured the Apple representatives, however, that if Microsoft needed to make an
investment in providing authoring tools in order to push Apple out of the [multimedia] playback market, then Microsoft would devote all the necessary resources to accomplish this goal."

..

"The problems we were experiencing in running QuickTime on Windows with IE 4.0--problems that had not existed with earlier versions of IE--suggested that Microsoft would use its control of Windows to harm QuickTime. I was particularly concerned about Microsoft's bundling of its multimedia technology with its IE for the Mac OS. This would give Microsoft access to the Mac OS operating system while, at the same time, Microsoft was seeking to exclude Apple's multimedia technology from Windows."

..

"On Feb 3, 1998, Mr. Jobs sent an email message to Mr. Gates expressing Apple's concerns about the threatening behavior of Microsoft's employees.
On Feb 13, 1998, I had a lunch meeting in Cupertino with Don Bradford of Microsoft. The purpose of this meeting was to discuss the problems described in Mr. Jobs' message to Mr. Gates. At this meeting, Mr. Bradford conveyed the same proposal that Microsoft had presented in the past. Speficially, if Apple would abandon the playback segment of the business, Microsoft would be willing to endorse QuickTime as the solution for the authoring portion. Mr. Bradford told me that Mr. Gates thought that this would be a way to resolve our dispute."

..

"[In April 1998 Mr. Engstrom told Apple's Phil Schiller,] 'We're going to compete fiercly on multimedia playback, and we won't let anybody have playback in Windows. We consider that part of the operating system, so you're going to have to give up multimedia playback on Windows."

..

Microsoft's proposal amounted to a forced abandonment of one of Apple's most successful and innovative products. . . . Accordingly, Steve Jobs told Microsoft that Apple had no interest in giving up QuickTime. Microsoft's response conveyed a simple message: Microsoft would drive Apple out of the multimedia business."

This is funny - you've tried to surf the web with IE security settings set to High, and recommend Firefox because of this. But have you tried to disable scripting and plug-ins in Firefox (that would be equivalent to High settings in IE) and try to surf same web sites? The web pages would suck exactly the same way without JavaScript and Flash in Firefox as they do in IE.

@Michael
JavaScript and Flash are not the same thing as activeX

Michael wrote: "But have you tried to disable scripting and plug-ins in Firefox (that would be equivalent to High settings in IE) and try to surf same web sites?"

Michael,

Of course, you're right about the experience. But US-CERT isn't recommending to disable Firefox plug-ins. Clarification: I didn't recomend Firefox.

Joe

scipio wrote: The Linux OS is free if your time has no value.

Au contraire. The time wasted just trying to keep Windows running and free of malware is far more than any time you will need to learn and configure Linux. If your time is valuable, then Linux is the way to go.

It's also time for you to get your head out of the sand.

I don't understand. What did your daughter's user privilege settings have to do with the machine keeping its own security patches up to date?
On Linux systems, the system update task can run automatically in the background, with whatever privileges it needs to perform administrator tasks, independent of (and not subject to interference by) users who might be logged on at the same time, who might have only ordinary privileges.
Is Microsoft's most-advanced-ever operating system not capable of managing something as simple as this?

I don't see how it's a ActiveX design fault that some controls have bugs.

If a poorly designed ActiveX control is a reason not to use any ActiveX controls, shouldn't, by the same logic, one seriously flawed Mozilla type plugin be a reason not to use *any* plugins? And there are lots of those out there.

Like the sergeant in Hill Street Blues always said, "let's be careful out there". It's the only real option.

Daffy.

You're making a wild assumption that ActiveX is the only means whereby Remote Methoding is executed from within a web browser. What about Java RMI, CORBA, or Flash Remoting? They are all seen by IE in the same way, and all treated [at least in any way an average user would interpret them], as ActiveX controls... When in fact, many different methods might be used outside of ActiveX. A great number of escalations seen by users on the web have nothing to do with ActiveX, which again, is only one means of remotely invoking code execution.

And you think securing the web from COM/DCOM was tough... it's laughable. That is actually possible. What isn't going to be possible is to consistently secure browsing from all the asynchronous scripting being used.

The model that needs to be followed is actually found in IE 7 on Vista, where securable objects may be used opposite a brokering agent where escalations are required [UIPI]. This is part of protected mode in IE 7 on Vista and the technologies are available for all developers.

"Use Firefox..." Again, laughable. It's a joke in the context of security. By the way... ActiveX was the only RMI that had a chance of being secured... all methods are full of serious holes.

You want to be secure? Run IE 7 in Protected Mode on Vista as a standard user and pay attention to what you are doing and don't install anything you don't trust. You want to get completely owned? Use something else.

"You want to be secure? Run IE 7 in Protected Mode on Vista as a standard user and pay attention to what you are doing and don't install anything you don't trust. You want to get completely owned? Use something else.

LOL -- such cogent advice, you wisdom is so profound, millions are taking it -- NOT.

We all know the favorite target for script kiddies and malware authors isn't Linux or OS X. Why? because finding holes in W2K/XP/Vista is just so damn easy.

@scipio wrote: The Linux OS is free if your time has no value.

I donno, I speant weeks and weeks working on Windows over time. It seems that I was spending more time babysitting, protecting it, and running fixes, patches and crap to keep it up and going and when I though Vista x64 was doing great, well, so much for wishful thinking.

I spent the last couple of days reformatting all my PC drives and machines to Ubuntu x64. 5 machines converted and configured running a true linux network on the different machines. Yes, I am well versed on gparted, second favorite application thus far in Linux.

I am not saying Ubuntu x64 is perfect, and I made it crash, doing way, way too many things at once -- I assure you that Vista x64 would of never reached the processing level that Ubuntu did when I crashed it. I guess configuring, updating, and running four desktops at once is a little extreme but that's what caffiene will do for you.

Yeah, the only pain in the butt for me was converting all my docs and files from MS Office 2007 to Open Office, but that isn't so difficult. I am on a Windows PC right now typing this letter. But guess what, this freakin' thing is joining the Ubuntu crowed. Also I like to make note of the latest release of Ubuntu -- Unlike the MS crap out there as far as operating systems go. Ubuntu CD boots up in a live version, and of course will not touch a thing on your harddrive or configure jack on you workstation or PC. You can easily find out if everything is working good or not.

Does Microsoft do that? NOPE, you have to install stuff, mess up your registry, and heaven forbid, cause your system to crash in the process.

There is a lot of good in freeing your PC and mind from MS, and if you still need MS, dual boot Ubuntu, take it for a spin, and before you realize with good resources out there like Ubunto Forum for noobes like me -- You'll be making the permanant switch before you know it.

I am not a linux shrill, no more than I am a Microsoft or Mac shrill. I am just saying based on my limited experience. Yes, Firefox no matter what platform you are running is much better than IE 7.0.

Well, I got to install Ubuntu on this beast, my last installation, so see me later in about 25 minutes!

I vote for Opera. The main feature of Opera that I miss when I use another browser is spatial navigation. Just type Shift + an arrow to move to the link in the direction of that arrow. The active link is made much more obvious than the small dotted line surrounding it in other browsers. Just press enter to follow the link. This allows me to quickly navigate to the link I want from the keyboard. With other browsers, I must resort to pressing the tab key many times until I get where I want.

Another thing I really like about Opera is mouse gestures. I use a laptop; so I don't like moving the mouse that much, but the mouse buttons are readily accessible. With mouse gestures, I can roll from the right button to the left to go back, or from the left button to the right to go forward. This is a quick and intuitive motion that is easier than Alt+Left or Alt+Right.

I know Firefox can get mouse gestures with an extension, but I have never been interesting in spending my time looking around for good extensions. I like how Opera is good as a fresh install.

When it comes to standards, Opera is the leader. As someone who is interested in emerging web technologies, I appreciate this as it typically allows for experimentation sooner than the other browsers.

Funny, I've had ActiveX turned off for years yet everything renders accurately, quickly, and as the creator intended.

Oh that's right, I'm on OS X.

People need to realize that Microsoft cannot be trusted to create technologies and "standards" that won't penalize non-Microsoft platforms.

Exhibit A: While all other web mail clients render wonderfully irrespective of platform, I'm only reminded by "Outlook Web Access" that I'm on a non-IE browser and thus will receive the "Light" version, which looks like a first attempt at HTML 1.0. Inexcusable in 2008.

Just to point out that Mr. Wilcox's blog post conflates what truly requires ActiveX with what vendors choose to implement as ActiveX plugins for IE. For example, he brings up a MS Watch blog post from yesterday that had an embedded Flash video. The Flash plugin for IE uses ActiveX, but the same is not true of the Flash plugin for non-IE browsers. This same line of reasoning, therefore, applies to YouTube (which Mr. Wilcox also brings up), since YouTube's web interface uses Flash extensively.

Of course, if Microsoft hadn't removed IE's ability to use Netscape-style plugins, this might not be an issue. Firefox and other Mozilla-derived browsers still mainly use this other plugin standard (which, funny enough, doesn't seem to be affected by the Eolas patent the way ActiveX was). So without IE, you can browse YouTube without a lick of ActiveX code, and there's no "wasteland" to be had in this case.

This is the result of Microsoft pretty much mandating that all plugin vendors move to ActiveX, so it's a bit disingenuous to imply that ActiveX is necessary for a good web experience.

Well, isn't this interesting? I post a comment that was actually reasoned and well thought-out, and when I come back later to this article because I found something else interesting to add, I find that my previous comment has been mysteriously deleted.

Previously, I was merely pointing out that the way this blog entry is written, it strongly implies that ActiveX is a requirement for a good web experience. That's simply not the case. Microsoft deprecated the Netscape-style plugin support for IE, requiring all plugins to now be ActiveX. Therefore, when Mr. Wilcox raises the issue of Flash not working in a previous MS Watch blog post when turning off ActiveX, it's never stated that things didn't have to be this way -- after all, Firefox and other Mozilla-derived browsers can display Flash content without a single bit of ActiveX coming into play.

I also pointed out that the Eolas patent doesn't seem to apply to the Mozilla-style plugins, only to ActiveX, and this has created untold grief for web developers the world over because... well, let's face it, you can't ignore the dominant browser in the market.

My additional comment is related to the comments made by Platform Agnostic. I simply wanted to amplify his point by noting that Hotmail has been found to degrade its performance deliberately for Firefox 2.0 users -- this was even covered today on Slashdot. For those who care, the URL is
http://linux.slashdot.org/article.pl?sid=08/02/08/1355246

(User agent spoofing by the browser is an easy work-around for the problem, and proves that the incompatibility is probably deliberate.)

Vista's repeated confirmation requests are self defeating in my experience. People just become accustomed to clicking yes yes yes, just do it dammit! Microsoft's approach to ActiveX and other security confirmations just encourage users to click yes on anything to get the computer to do what they want. ActiveX is flawed for sure and it's easy to live without it - Java and Flash do most of what ActiveX does, have fewer problems, and are cross-platform for web browsers and operating systems. Many major sites are already migrating in that direction, especially given the increasing user base of other operating systems like Mac and Linux.

Long gone are the days where ActiveX load without the user knowing it and giving permission for the install.

Probably 99% of the users do not know what the heck ActiveX is, or why it can be bad.

ActiveX lets your browser do things on your operating system like open files, read files....etc...so you can see it can be very dangerous if you dont know what it is doing, who wrote it and where you are getting it from. None of these issues are ActiveX issues.

The only problem I see with webbase activex I see is it is not contextual based. In other words I I give site xyz. permission to install activex then it should only be used in my browser when I am on that one and only site.

The same problem exists in FireFox extensions.
You can install extensions that can hurt your system, spy on you and all the other bad stuff there is. It angers me to no end to read the masses saying how I should use FireFox so I dont get spyware or bad software...when in reality you CAN. If you dont know the source of the extension you can get burned.

Yes, Firefox extensions dont load by themselves but neither do ActiveX components.

Keep using Firefox if you dont mind sending every site you visit to Google so they can save a huge database of traffic under the gise of "secure surfing"...after all its free so they got to make millions some how.

In my mind IE is free too. I mean if MS removed IE from the market tomorrow I would still have to pay 1-300 bucks or whatever it is now for the OS.

IE and MS are way far from perfect.
FireFox is not any better.