IE, ActiveX and Netscape Plugins

It’s always hard to tell how much of an interview is what the guy actually said, and how much is editing, but the following paragraph from a betaNews interview with Gary Schare, Director of IE Product Management makes the blood boil:

GS: ActiveX is a very powerful platform. While ActiveX itself is unique to Internet Explorer, the technology of extending a browser with native code is not. You have the Netscape plug-in model that runs in Netscape browsers and Firefox browsers, and is the moral equivalent of ActiveX from a code perspective.

And it used to run in IE and therefore be a cross-platform plugin model, before you removed supportfor security reasons“. If the two are “moral equivalents”, what were the inherent security problems in the Netscape plugin model that you couldn’t fix?

Or was, in fact, the removal of IE’s ability to run Netscape plugins nothing to do with security and the needs of users, and everything to do with shoring up your monopoly?

In fact, of course, the two are not “morally equivalent” – installing a plugin is just like installing any other piece of software on your computer, whereas installing or using an ActiveX control is far easier than that – hence the problems.

The difference is that we did a lot of work in ActiveX to ensure that users only install the controls they really intend to, eliminating the drive-by download vectors of the past. A lot of that work came in IE6 XP SP2.

That’s enormously misleading, because saying “the difference” implies that Netscape and Firefox still suffer from being “drive-by download vectors”. In fact, drive-by downloads has always been 95% an IE problem and 5% a JVM problem. This is like saying “The difference between me and Bob is that I’ve stopped beating my wife.” It doesn’t say that Bob still beats his wife, but it implies it.

11 thoughts on “IE, ActiveX and Netscape Plugins

  1. “the difference is” I believe that is being used to compare ActiveX versions as per the article question. Or at least that’s how I originally read the article yesterday.

  2. To me, this interview makes Gary Schare look like he is talking out of his arse, or at least it gives me that perspective.

  3. I am glad to hear that you have since stopped beating your wife – for her sake, and yours.

  4. “… and is the moral equivalent of ActiveX from a code perspective.”

    What I don’t understand is why uses the word moral at all. It just doesn’t fit.
    “Moral equivalence” is a term used in politics, not coding.

  5. Some guy: The Greasemonkey update situation is entirely different. Installing an addon is like installing a plugin – it’s installing a new piece of fully-privileged software on your computer, and the UI and user experience reflect that. If a 3rd party addon has a security hole, a) that’s not the responsibility of the Mozilla project, just as holes in IE addons are not Microsoft’s fault, and b) it’s just the same as if your media player or P2P client had a security hole.

    It has nothing to do with the “rich web content” experience which ActiveX tried to provide, where a web page could invoke various bits of native code on your box at will.

    Also, your statement is wrong on the face of it. Having root access from a flaw in an addon is exactly equivalent to permitting a drive-by download. Both give a 3rd party full access to your computer.

  6. Gerv,
    You say “It has nothing to do with the “rich web content” experience which ActiveX tried to provide, where a web page could invoke various bits of native code on your box at will.” I think this is a misrepresentation of what ActiveX is for and may explain much of the apparent confusion on the subject and I do not see any distinction.
    The fact is that both Netscape plugins and ActiveX controls are binary code and have access to the system and system APIs, they are designed to allow access to the same thing. ActiveX is essentially COM and this extension mechanism was provided in IE3 to allow existing developers easy access to APIs that they were familiar with alongside support for the Netscape plugin APIs.
    Gary’s point is essentially correct that any form of binary extensibility has some pretty significant security risks. I’m sure you’ve never done this but ActiveX is regularly discussed by Microsoft’s detractors as providing access to the system while they fail to mention that Netscape plugins offer binary extensibility and access to the system as well.
    You appear to agree that binary extensibility is a significant security risk in the comment above so I remain a little confused as to what exactly is making your blood boil today.

    You respond to the article by quoting a five year old situation where Netscape plugin API support was removed from IE6 which is an entirely separate and now quite old issue. As most plugins also exposed ActiveX control interfaces which are used when the EMBED tag is encountered on a page the internet did not suffer as the September 2001 article seemed to predict. The IE team regularly deprecates existing functionality that is not widely used as part of work to reduce the surface area of attack. This work continued in XP SP2 and continues in IE7 today where existing code that is not used is removed or in cases where it is rarely used disabled by default so that the attackers have fewer places to attack. This work takes place regardless of any known security risks being present.

    If you want to read about the work in IE7 around ActiveX extensibility and security improvements take a look at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/cols/dnexpie/activex_security.asp
    The improvements continue in Windows Vista with Protected Mode http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp where the security contexts in Vista are available so the IE process including any extensions can be isolated from writing to the system.
    Thanks
    -Dave Massy

  7. I think from the tone of their speech they’re trying to imply that Netscape plugins are as closed-source and proprietary as their ActiveX ones.

    In that case I’m curious to know where I can download their Free Software equivalent of the MPlayer plugin, or their free software ActiveX equivalent of Konqueror’s nsplugin support.

  8. There’s a critical flaw in the second sentence of GS’s statement.

    He says: “While ActiveX itself is unique to Internet Explorer…”, but conveniently fails to point out that it’s actually unique to IE under WINDOWS!!!

    IE under OS 9 or OS X have never had +any+ ActiveX support, being MacOS and all… which angered me no end when I first started to see it appearing on the supposedly platform-independent web – and ultimately prompted my complete switch (across all platforms Mac/Win/Nix) to Mozilla-based browsers.

    Incidentally, I’ve noticed that for a while now, the #1 agent for visitors to my website is no longer IE, but a selection of Mozilla-based browsers, with IE coming in either 2nd or 3rd dependant upon the number of Mac-users visiting with Safari each month forcing it down.

    If you can’t join ’em, beat ’em!

  9. The fact is that both Netscape plugins and ActiveX controls are binary code and have access to the system and system APIs, they are designed to allow access to the same thing.

    But a plugin has to be installed by downloading and executing an installer, just like any other piece of software, and so the browser provides the usual caveats and warnings about executing untrusted code. At least until recently, ActiveX controls could be invoked, and their code run, just by including particular HTML in a web page.

    This is the key difference. (And it’s why ActiveX is much more like Java than like plugins. Except Java at least attempts to have a sandbox.)

    As most plugins also exposed ActiveX control interfaces which are used when the EMBED tag is encountered on a page the internet did not suffer as the September 2001 article seemed to predict.

    In other words, you removed it because you knew it wouldn’t cause your browser trouble (because existing plugins had both interfaces), but it would cause trouble for other browser vendors (who could not now say “write to the NPAPI; it works everywhere”) and plugin developers (who now had multiple standards to support, and hopefully would choose only to support the Microsoft-specific one). When you say “the internet did not suffer”, what you mean is “we, and anyone else using our browser, did not suffer”.

    It was a decrease in interoperability made possible by a willingness to abuse a near-monopoly power. I don’t buy that this was about “attack surface reduction”, and to equate it with the current efforts in that area is anachronistic.