This is a perfect article that follows-up on the "Vista Security: A Petulant Child" simply because it justifies UAC. Just like in my comment, "today's ever-increasing threats" (just what this article states) demand Microsoft action and UAC is a perfect response. By raising the bar via having many limits on the user and developer (security-wise), companies will have to fnially get their ActiveX signed and start building apps that are not going to be hassling the consumer. It's going to take extra work on everyone's part, but it needs to be done; it's the only way that Windows essentially becomes more secure and companies can deliver a better experience.

Are these really "ActiveX" issues, or issues with the software written - which just happens to be ActiveX?

I mean if I wrote buggy application software that crashed the operating system, an informed person wouldn't say that the OS was the problem, they'd say it was the app.

> Are these really "ActiveX" issues, or issues with the software written -

They're ActiveX issues, because ActiveX technology is supposed to provide an isolated process area in which to run, and they shouldn't have access to any memory or disk or hardware resources that could cause the operating system to crash. If they do cause such a crash, then they accessed something they weren't supposed to be able to, and that's a vulnerability.

It can also be argued that the OS should not be allowing the ActiveX access to any memory or disk or hardware resources that could cause the operating system to crash.

ActiveX, by its nature and design, is fundamentally security flawed. The "Security" in ActiveX is that the vendor signs the component, saying "I promise that this will not do any harm"

In addition to poorly coded and poorly designed controls, the ActiveX system does not block the control from using or accessing resources on the computer. In fact, anything the user account that is running the browser can do, the ActiveX control can do - read any file the user can, write any file the user can, update any software, etc.

What makes this worse is that the user, when running as Administrator, can actually update the operating system via ActiveX - even Microsoft's Windows Update web site uses some ActiveX controls within the browser to update the OS. This means that any web site can do the same if it wishes to. And if they take the time to sign their ActiveX control, the user may not even get a security requester before it goes and does its thing.

Add to that the ActiveX controls from other vendors that have had security design flaws, and the whole ActiveX design and you get just one massive hole that should scare everyone.

Microsoft DOESN'T CARE... they just need reasons to sell you more releases of "updated" os. Vista is still fundamentally flawed... the UAC is annoying and in the end USELESS because and it just puts responsibility to users... and eventually users will click ok to all UAC request. It's totally useless if the sw vendors writes a program that vulnerable. It's a blame game for MS, they are just pushing responsibility of security to users and sw vendors (they think just making someone "sign" and activeX control will keep vulnerabilities out). Windows update uses ActiveX to get users to "THINK" it's secure. With all the resources that MS has, they can simply make a proprietary secure connection just for windows update.

I'm sure MS just makes their employees "sign" ... "I will not steal information from company" and let them work there without 24/7 watch...