Vista to allow ActiveX installation
- 22 June, 2006 08:16
Microsoft is to give Windows Vista an option for users to install ActiveX controls without the need for administrator approval, the company has revealed.
The move is in response to beta tests, which found that administrators had a hard time keeping up with updates to ActiveX controls, Microsoft said.
User Account Control (UAC), a feature to be introduced in Vista, places strict limits on standard users, including barring them from installing ActiveX controls without authorization from an administrator.
The feature's constant prompts for authentication have been heavily criticized by industry observers.
Chris Corio, a UAC program manager, said specifically that companies involved in the Technical Adoption Program (TAP) testing Vista had problems with numerous ActiveX controls used in day-to-day business.
Because users couldn't install the control updates themselves, administrators were being overloaded, he said.
"These ActiveX controls were being updated regularly, and the corporations couldn't package and deploy them to their users quickly enough," Corio said in a document describing the upcoming feature, on Microsoft's MSDN developer Web site.
The solution Microsoft is proposing is called the ActiveX Installer Service, consisting of a Windows service, a Group Policy administrative template, and a few changes in IE, according to Corio. The aim is to allow administrators to define group policies establishing URLs from which standard users can install ActiveX controls.
The feature will be an optional component with the Ultimate, Business and Enterprise versions of Vista, Microsoft said, and will only be enabled on clients where it is installed.
If the feature is enabled, and IE encounters a needed ActiveX control or update, the browser asks the service to carry out installation. The service checks to see if the control's host URL is defined, allowed and listed in group policy.
If it is, the service creates an installer object. If group policy doesn't specify that the control is allowed, Vista reverts to its default behavior, which is to ask for authentication, according to Corio.
So far, the service works with controls packaged as .cab, .dll or .ocx files, but Microsoft plans to enable MSI (Microsoft Installation) packages as well.
Microsoft demonstrated the service at last week's TechEd developer conference, and Ben Fathi demonstrated it as part of his security keynote there, the company said.
The feature will be included in Vista's the next public release, Release Candidate 1, according to Microsoft.
Not all administrators are thrilled with the idea of allowing constant updates of ActiveX controls. One administrator, writing on a MSDN discussion board, said developers shouldn't feel free to release buggy software and then release often disruptive fixes on a regular basis.
"Isn't this just a new excuse for the designers of said ActiveX controls to keep on releasing patches without thought of testing them before the fact?" he wrote. "The last thing I want to learn is that someone's falsified WebEx's certificate and is pushing malware under my nose. Or that WebEx released an update with a bug that results in privilege escalation."
Another admin commented that the feature is probably "a necessary evil."