What are the security risks with the use of ActiveX?

ActiveX controls, also called “add-ons,” are small Microsoft VC++ scripts, which some websites require the user to install in order to see some content or perform certain tasks on it. ActiveX control can run on Microsoft Office products as well.
Unfortunately, ActiveX controls are “unsecure by their very design” 7 and have been a significant source of security problems. They also cannot be “deleted”, as on installation they leave a mark in the Windows Registry and get instantiated. They need to completely un-installed to be free of them.
Some of the risks ActiveX poses are-

  • Stopping the computer from functioning
  • Tampering with the Windows Registry and render the OS unstable
  • Monitoring browsing habits and acting as spyware
  • Acting as keyloggers and collecting sensitive data (passwords, credit card numbers etc.)
  • Rendering adware – annoying “pop-ups” and other unwanted content
  • Pushing malicious code into the system – worms, virus, ransomware
  • Being susceptible to buffer overflow bugs making even “good” ActiveX controls open to being hacked and malicious code being pushed into it

Microsoft’s stand on ActiveX controls-

A current, but undated, article on the existing Microsoft website states that ActiveX controls can “stop your computer from functioning correctly, collect your browsing habits and personal information without your knowledge, or can give you content, like pop-up ads that you don’t want. Also, “good” ActiveX controls might contain unintended code that allows “bad” websites to use them for malicious purposes.” 8 and goes to further lay out steps to uninstall and complete remove ActiveX controls from the Windows system. This seems to suggest that Microsoft has not been successful in making ActiveX controls secure, and that they are best not installed.