Thursday, December 07, 2006

I think I should be speechless about ActiveX on FireFox

Part of me does not want to even put the link in text... but, without the link, it is kind of pointless.

Somebody is making a plugin to run ActiveX controls on FireFox. Now, I don't know about any of my readers, either from MepisLovers or otherwise, but one of the main selling points of FireFox is that it does not support ActiveX. Even Microsoft admits that ActiveX is a Bad Idea, or at least a Bad Implementation of an idea.

I personally started using FireFox because I got tired of the ActiveX junk that Internet Explorer natively accumulates, and for no other reason. I didn't care about open standards. I didn't care about open code. I didn't care about tabbed browsing. I didn't care about small executables. I didn't care about integrated RSS readers. I was flat out tired of having to run two anti-virus and two anti-spyware programs every day in order to keep the system clean of junk accumulated by ActiveX and Internet Explorer.

Sure, now I care about those things. Now it does make a difference to me. But, the entire reason I moved to using and advocating Open Source software is that I was concerned about security. I wanted to remove as many entry points as possible. Now, we are very much aware of many security analysts out and about writing about how FireFox is no more secure than Internet Explorer. We've heard all about the security comparisons.

Let me put it this way. I can count on one hand the number of compromised and hijacked FireFox browsers that I have had to fix. Matter of fact is, I don't even have to use a hand. Why? Because to this date, I've never actually seen an end user run into a FireFox exploit. Now, I have seen pop-ups get through. I have seen pop-unders. I've seen ads get through. But since I moved to FireFox on windows, the worst browser problem I've seen has been tracking cookies. I can say the same for Opera on Windows.

Now, Internet Explorer, on the other hand, is a completely different story. When I was working for Sitel we received on average 4 calls each, per day, from people with hijacked or compromised Internet Explorer browsers. Now, you figure an average of 60 people taking calls over an 8 hour period, that is/was 240 compromised Internet Explorer systems every 8 hours. That was from our call center alone, never minding what San Diego, Call Tech, Sykes, or WTX-Cox handled (and forgetting the other regional call centers).

After Internet Explorer 7 launched I've heard of numerous reports of peoples whose Windows have been completely been Swedish Chef Borked over by the Microsoft Upgrade. I, personally, have had to deal with 23 different compromises since IE7 launched.

Does that put it into perspective for you on what the real security situation is? Now, I firmly lay the blame for the sad situation with Internet Explorer Security at the feet of ActiveX. I know that at least 20 of the problem IE7's I had were caused due to the "need" for Microsoft to support ActiveX controls from IE6.

Now, when I read that someone is implementing ActiveX controls on FireFox, in ANY form, needs of compatibility is not a phrase that runs through my mind. Gaping Security Hole is. Now, I don't know how we could dissuade the author(s) of the ActiveX plugin to stop, and I understand that there are corporate interests being served that probably would not deploy FireFox (or Opera for that matter), without ActiveX support.

My question that I pose to the Author(s) is this then: Do you really think implementing a process or application, a process or application so dangerous that even the creator of that Application or process gets behind the message that it needs to be gotten rid of, is a good idea? I don't think so.
Post a Comment