How potentially dangerous is Java and ActiveX?

[Pete]

I recently downloaded three different instances of ActiveX
from a couple of trusted sites, in order to run some online
security checks on my PC. I was aware that I also had some
Java already on my PC, again from reputable sources.

I've completed the security checks with a clean bill of
health, it seems, but when I look in MSAS's logs of such
things in the Advanced Tools/Security Agents section, MSAS
lists eight instances of ActiveX, two of which are unknown.

How potentially dangerous is it to allow Java and ActiveX
to remain on the PC? To me, it looks like most of that
eight are needed for run-of-the-mill Microsoft processes.

Deletion is a possibility but fully deleting ActiveX might
not be possible, because certain values also get put into
the Registry, so it's not just a case of deleting instances
from the Downloaded Program Files folder.

I see in MSAS Advanced Tools/Security Agents that logged
ActiveX can be blocked if required. Should I simply do that
to the non-Microsoft ones? Will that be safe enough?

One of the unknown ones that's worrying me a bit is Direct
Animation Java Classes, which apparently gets put into
C:\winnt\java\classes\dajava.cab.

BTW, I normally browse with Firefox but there's Internet
Explorer there to use as well.

 

[Bill Sanderson]

Don't assume that an ActiveX control listed as unknown is bad, at this
point, especially if it is from a trusted vendor--such as Microsoft. Not
all controls are known to Microsoft Antispyware at this point.

You can block such things without too much ill effect--that action can be
reversed.
I've got 17 unknown controls on my system at this point, as well as 4 that
I've intentionally blocked.

I'm not familiar with the java object you mention, but I don't see any
immediate reason to be concerned about it--I think that it is likely
legitimate, although I can't immediately spot it via Google.

 

[Bill Sanderson]

As a different approach to answer your subject header directly:

ActiveX controls are executables which you are allowing to run on your
machine.

Like any other executable code you choose to run, it is possible that it
will compromise your security in a variety of ways. ActiveX controls are
cryptographically signed by the publisher which is a an advantage over your
average executable--at least you have a clear assurance both of who the
program was published by, and that it is intact--that the code isn't
changed.

Similar things can be said of Java, although the security issues are
somewhat different, and I don't think I can speak accurately about the
details.

Don't run binaries (code) on your machine that you can't be certain of the
source and benign nature of. What's a binary? Well--besides your usual
executable programs, ActiveX controls, java--there are also: Zip folders,
definitions for your antivirus, mp3's, and PDF files. Each of these classes
of files has been involved in exploitable security vulnerabilities in the
past year or so, although not it widespread ways, generally.

Any application on your machine which runs content that comes from outside
is a potential vehicle for exploitation--keep an eye out for updates from
vendors of such apps.

Keep a firewall active, your antivirus up to date, Microsoft Antispyware's
real-time protection running, and don't sweat it too much--you can get mired
in the details.

 

[Pete]

Thanks Bill, that's reassuring.

Actually, ActiveX is only ever allowed to run in Internet
Explorer, on my machine. Firefox is not designed to cater
for ActiveX and, in Firefox, Java is optional.

Using MSAS, I've now blocked the three temporary ActiveX
downloads I used. I don't think they'll need to be run by
me again for a very long time. I found in MSAS also a
section where you can delete listed ActiveX processes as
well, including all the associated Registry entries. So,
that's jolly useful. It's good that MSAS gives that facility.

As for 'Direct Animation Java Classes', I've decided to
leave that alone for the present. You might be correct, in
that it's probably a legitimate entry, though I note that,
looking in the Properties of the dajava cab file, it says
that the certificate (dated way back in the 1990s) has
expired or is not yet valid, so maybe I ought to at least
block it. What d'ya think?

Meanwhile, I've remembered that ActiveX settings are
pertinent in Internet Options/Security. There, the setting
for the Internet zone should be left on at least Medium and
the various settings for ActiveX and Java in that (briefly,
switch to Customise, to see the settings) left on their
default settings. Also, in the Trusted zone/Sites button,in
that Security tab, I've added various websites from which
certain regular downloads are required. Among these are
Windows Updates (WU). If ActiveX controls for WU are
blocked or deleted, you can't then access WU. Note that
Shockwave and Flash also require ActiveX and I see that
they're also in the list in MSAS.

Going back to the Trusted zone/Sites, in Internet Options,
should any entries you make there include "http://", "www."
or "http://www."? I've omitted those bits from my entries.
Also, I've cleared the 'Require server verification (https)
for all sites in this zone' checkbox.