When Will Microsoft ‘86′ ActiveX?

Yesterday, on ZDNet, Adrian Kingsley-Hughes wrote about a couple of ActiveX vulnerabilities in Internet Exploder®, for which no fixes are coming in today’s set of patches. These problems are not new, yet there is still no fix. Microsoft seems to be stuck with using ActiveX when, time and again, it has had it shown to them that ActiveX causes all manner of problems with the system.

Another patch Tuesday comes, with not enough patches to go around.

I wonder why this is. Is it only because they refuse to re-code certain things in another manner, or is it something deeper? I see attacks upon the usage of this, and certainly the idea that in Vista and Windows 7, the fact that the browser is partly sandboxed makes the problem go away to some degree.

But why do an end run around a problem, rather than confront it head on, and simply either change ActiveX to make it secure, or eliminate it altogether? (Many authors, having an idea, state flatly that ActiveX cannot be made secure; is there too much spaghetti, perhaps?)

Last week Microsoft issued a security advisory warning of an ActiveX vulnerability relating to a video control. There’s no patch in sight. Today we get another advisory relating to another ActiveX control, this time used to display Excel spreadsheets. Since tomorrow is Patch Tuesday, we’re not going to see a patch for this vulnerability either. Both vulnerabilities are being actively targeted by hackers. Is Internet Explorer too toxic to trust?

Microsoft has issued a workaround for both vulnerabilities (here and here) but the number of people who will actively protect themselves from this threat is small, so for the time being there are literally millions of PCs out there wide open to being attacked on two fronts.

AKH then go on to say how he used to be a big fan of IE, but now he thinks it is too toxic (his words) to use.

I, on the other hand, have never been a fan of Internet Exploder®, because, from the start, it was a ‘look at us, we have a browser, too’ exercise in frustration. IE was something that Microsoft took from the Mosaic project, and dressed it up in shabby clothes, and made a claim to have a browser. What most people don’t realize, is that I could have done the same thing, as anyone at that time could; change a few words, ‘doll up’ the looks a bit, and say that they had come up with a browser, as long as the credit was given to the Mosaic project.

poor Netscape, playing Beta to Microsoft’s VHS, certainly not the last time where a better product did not win the market.

Rather than revisit how Microsoft destroyed a better browser, Netscape, by using its dominant position, I’ll simply say that the only reason to use IE is where no other browser will do. My feelings are that if Microsoft had not gotten into the browser business, the entire internet would be better off. So would they, as they just might have paid more attention to the rest of the operating system.

Getting back to ActiveX, it remains that, for Microsoft, this is like a baby, that Microsoft realizes is ugly, and defective, but remembers fondly the efforts to develop it, so, instead of euthanizing it, continues to nurse it along, much to the detriment of all.

§

‘

•

God is a comedian playing to an audience too afraid to laugh. • Voltaire

•