Microsoft has configured IE7's defaults so that only "safe" ActiveX controls (as determined by Microsoft) can be accessed, and it has enhanced separation of controls to prevent exploits from running roughshod across the entire Internet Explorer application as they often did in the past, researchers said. "IE7's protected mode definitely helps, even if the root cause in the form of ActiveX vulnerabilities is still present, and in the long run it will play a role in convincing attackers to move elsewhere, but with Vista and IE7 in relatively few hands this won't happen soon," said McAfee's Schmugar. Improvements made in the Windows Vista operating system should also help reduce the impact of traditional ActiveX attack techniques, he noted.
However, most people use neither Vista nor IE7, so these improvements aren't widely deployed. The majority of users run IE6 on Windows XP, both of whose ActiveX components remain largely unchanged and thus at high risk.
Dumping ActiveX is not the long-term solution
"The issue goes beyond ActiveX. Any plug-in architecture that has a lot of users will suffer from these same issues; anything where you have third party developers writing code that runs inside the browser," said Max Caceres, director of research and development at applications security firm Matasano Security. "As long as developers are building things without putting security at the top of their list of objectives, we'll have these problems, regardless of the plug-in architecture."