At some point, you’ve probably seen an error message pop up that "Active Content on this webpage has been blocked. Click here for options." Microsoft and the other browser makers give us these warning so we can try to make choices about what to trust on the web and what to avoid. Unfortunately, most average computer users don’t know what "active content" is or how to decide what to trust. There are no easy answers for deciding who to trust but after reading this overview, you should have a little more idea of the risks you are taking.

Active content today comes in two basic flavors – web scripts like JavaScript or VBScript and programs such as Java or ActiveX. Both use code embedded in the webpage to help the webpage do something extra (like drop-down menus) or formatting of the page look better. While these scripts make the webpage more user-friendly, they can offer a way for hackers to get into your computer.

Web scripts are used on almost every web site now. These scripts let the web designer customize the look and feel of the site and are very easy to use. The script is written into the webpage and is executed by your browser. There are limits to what the script can do, making them mostly safe. Unfortunately, one of the ways they can be exploited is to redirect you from a legitimate web site to a look-alike malicious one that may download viruses or collect personal information.

Java and ActiveX controls are actual programs that are already on your computer or can be automatically downloaded into your browser. ActiveX can do anything on your computer that you can do. That’s helpful if the web page is supposed to find and run a program for you but very dangerous if exploited by a hacker. Untrustworthy ActiveX controls can be used to load spyware, collect personal information, connect to other computers or do other damage. (If you’re trying to load or update well-known software like Flash Player or Adobe Reader, it’s probably okay. On the other hand, if the browser is trying to launch something like WeatherBug or MemoryMeter, SAY NO!) Java applets usually run in a more restricted environment and have less rights on your computer (and therefore can do less damage if exploited), but if that environment isn’t secure, malicious Java applets may be used for attack as well.

In general, you should set your Internet Options to block ActiveX. For computers containing highly sensitive information, you should also consider disallowing Java and JavaScript. Only allow the content through if you are sure that you are at a trusted website. Recognize, however, that the added security may cause some features of the website to not function or to function improperly. Once you’ve verified the security of a site, you can designate it a “Trusted Site” and allow future active content from that site. And always keep your anti-virus, anti-spyware and firewalls running and your software fully patched.

based in part on CERT Cyber Security Tip ST04-012

Leave a Reply