by Matt Heller
I’m old enough to remember when ActiveX first ‘came on the scene,’ and it was transformative. To that point, we’d all used static content and simple hyperlinked pages. You could manage to fake some dynamic content if you knew what you were doing, but real interactivity and dynamic content wasn’t a reality. Yes, that’s a LONG time ago, especially in Internet years. After the euphoria of these new capabilities wore off, we began to see some downsides. At first, it was mostly network related stuff – I recall being asked by our network team why usages were rising in certain teams. It turns out. Active desktop and ActiveX were great ways to keep data flowing to the endpoints…even if the user wasn’t using those apps at the time. Remember this was a long time ago when networks were token ring and ethernet was 10MB if you were lucky. BIG Internet connections for business were T1 lines, so bandwidth consumption was a different concern than today.
Next came the serious security downside and as the old saying goes “with great power comes great responsibility.” It wasn’t long before people started to realize that binary extensibility could deliver pretty much limitless capabilities…which then opened up a considerable surface area for attack. ActiveX quickly got the reputation as a security hole, one that it’s struggled to shake since that time. Despite all the security additions and parameters setup around ActiveX, it’s arguably still a security risk.
However, ActiveX served an essential function in the historical record of the web. At a time when browsers were new, and ‘simple,’ ActiveX helped push beyond the limitations of HTML and browser functionality. ActiveX showed us that despite what features and capabilities that working groups and vendors could think up, there were always more ideas under the sun. The web needed a way to go beyond the known limitations and ActiveX was unfortunately not the design we could count on for the long term.
So then we had extensions…lightweight, easy to build, non-binary extensions that could deliver those ‘beyond the box’ experiences that developers and consumers wanted. Even if they didn’t know they wanted them yet, extensions provided a path to deliver them whenever the need arose. Being ‘non-binary’ code, they were inherently more secure and controllable than ActiveX, so the web was seeing a great advancement without the risk. I’ve long believed that extensions were much better than ActiveX from a code execution standpoint (apparently), but they represented a more subtle security threat, which I felt wasn’t getting proper attention. Unlike ActiveX which could be attacked from various sides and directly used for escalation of privilege attacks, extensions were bound under tighter controls, so they appeared to be secure.
However, think about what developers use extensions to accomplish:
· Password manager
· Shopping discounts
· Developer page manipulation
Just to name a few.
These are GREAT experiences for end users. They deliver tons of value and make online experiences better. Take a second and think about what these extensions can do. They can read the page(s) users browse; they report back to identify specific targeted sites/content; they allow pages to be edited inline. Sure there are many well known and trustworthy extensions doing these essential jobs well and securely. However, we read about compromises every day. Well-known password manager databases have been compromised. Shopping discount engines aren’t immune to their bad news days as well. The examples go on and on. our friends over at BrianMaddon.com just did a piece on the risks of even trusting a ‘trusted’ store for your extensions.
Don’t get me wrong; I’m not advocating people turn off extensions, I use a bunch myself. I’m just urging IT managers and CISOs to view extensions with a wary eye. Trust but verify. Most organizations have no idea what extensions are in their environment. Unlike ActiveX which registers to Windows, extensions don’t register in that way. ActiveX requires elevated privilege to install whereas any user can install extensions. Heck, even Chrome and Firefox can be installed without admin privilege or even run from a USB. Existing ITOM tools have no visibility into extensions. The idea that extensions run in the enterprise isn’t a concern, but not knowing which ones, where and by whom should be a concern. Extensions can directly or indirectly expose corporate data, so how can a CISO or CIO effectively sign compliance documents without an accurate and ongoing inventory?
Let’s learn from history and be sure to keep the “great power” under control with our “great responsibility” by keeping an eye on extensions.