Active X and Server Risks

[AbbieRose]

I'm aware of the dangers that viewing pages with Active-X can pose, because of it's system access. But does it pose a risk to the server at all when your pages utilise it? Or is that merely a one way risk?

 

[handsonhosting]

From my understanding, it's only on the user end of things. The Active-X allows extra commands to operate without the users interaction. Personally on my computers, Active-X is disabled on all sites unless I gives specific access to a site I trust.

I don't believe the exploitation flows back to the server (unless the script loaded up a dDOS script to go after the serving page or something.

 

[marissa jasmine]

i don't understand about Active X and Server Risks ..
Please tell me with details about that..

Thanks for the answers ..

 

[AbbieRose]

Well as just explained the risk is not to the server but to the user. Active X allows things to be installed on your computer without your say so, and can change settings. It can be very dangerous-and I too have it disabled.

 

[handsonhosting]

Did a quick hunt on Google regarding Active-X and Servers, and for the most part everything says it's an exploit on the user end of things for trojans etc, but then I found this article: http://www.crn.com/security/218400583;jsessionid=D4WKAPP0BOHD5QE1GHPCKHWATMY32JVN

It states that this particular vulnerability affects versions of Windows XP and Windows Server 2003. So it looks like SOME exploits *CAN* indeed flow back to the server level of things.

I've never had any issues on something like this myself, and until just this minute I'd never heard of an Active-X affecting a server. But then I'm a Unix guy and rarely deal with Windows severs.

 

[AbbieRose]

I would think that many people are like you and haven't had to consider it. It only came up because of some custom code that my partner's company refused to host, and I started to look into why and one question led to another. Thanks for the article.

 

[fortressDewey]

HandsOn..thanks for that link above, I too was thinking it was only the end user.

 

[arbet]

Me too. I was kinda confused with ActiveX. Thanks for enlightening my mind about it. Lol.

 

[mellow-h]

is that merely a one way risk?

Exactly! It acts based on your browser, it doesn't perform any operation in the server end. And an activex is coded for windows variant only. If your clients are using Linux, the activex won't load at all.

 

[AbbieRose]

Not only is it just windows, it is just internet explorer. None of the other browsers support active-X (thankfully) which I think is a wonderful thing.

I never did like the insecurity and vulnerability that active-X leaves us with, so never run those controls.