Full mea culpa mode: I was a total homie for ActiveX when Microsoft released it. It solved so many of the problems I was having, as a developer of client-server software, and it made it easy. And there was much about it that was cool, too. I scoffed at the trade journalist who described it as a "virus-delivery mechanism".

I mean, just look at what you could do with it:

You could aggregate multiple user interface elements into one ActiveX control module, basically wrapping an entire client front-end program, complete with business rules, into a single UI control component.

You could drop a reference to your ActiveX control on an ASP page. Users, when they surfed to this page, would automatically download and install the component, but only if they didn't already have it. If you did a version update, it would automatically download itself to users next time they visited. Presto, automatic client configuration management.

Have religious scruples against Microsoft's browser? You could even get a Netscape plugin and run your control there.

You could develop the darn things in Visual Basic, for Pete's sake. You didn't need to staff out your dev team with high-priced, finicky C++ talent...any old COBOL programmer turned VB drone would do.

You could script them with VBScript, which means you didn't have to do any complicated IDL binary design-time binding voodoo.

Worried about security? We gotcha covered! You can digitally sign your component, with something like a checksum, so that your users can have some degree of confidence that your bits haven't been diddled with by Kevin Mitnick. Users can also see who created this control component they're about to download, so they can decide whether or not they trust it enough to continue.

So off I went, developing ActiveX controls and spreading the word. And, in fact, these projects were not only successful, but worked pretty well...for internal, enterprise applications. The kind that were limited to an internal, enterprise network.

But the enterprise was never the limit of Microsoft's vision for this technology. Oh, no, no, no. It was to be a big part of the way they were going to leverage their dominance of desktop operating systems, making Microsoft synonymous with the internet in the public's mind, just as they were already synonymous with PCs. And if you look at the gnarly details of the technology with an objective eye, you have to concede that their implementation of this idea was a significant technical achievement. A full DCE RPC mechnanism, allowance for multiple binding modes, provision for interface discovery and object browsing, mechanisms for raising and consuming events, marshalling of method parameters of all types...this was not a trivial deal slapped together by a team of junior developers.

But we grow up fast, don't we? Especially these last few years. Because for every conscientious developer like me there was a scumbag developing for some cheesy pr0n, multi-level marketing, or fly-by-night web-portal outfit, developing ActiveX controls that used the dark-side of ActiveX's power. You see, once a user decided to trust a control by clicking 'OK' on that annoying "Do you want to install the FREE streaming bodacious Ta-Tas control from corsicanmafia, inc?", with the associated "(Always trust content from corsicanmafia, inc)" button, the control basically has the keys to the candy store. The delicate words used nowadays are "execute arbitrary code," which means a malicious ActiveX developer could do damn near whatever the hell he or she wanted on your machine. Delete files. Scarf your email contact list. Scarf any other personal info you left lying around. Dance the macarena on your system registry. There is NO provision for any kind of "sandbox" limitation on what a control could do. Or at least not one that wasn't easily subvertable. The only protection is to not download the thing in the first place.

So just imagine the hundreds of thousands of 6 year old girls using Daddy's computer to surf over to the teletubbies fan site on a Saturday afternoon. They see one of those ActiveX download dialogs. It's standing between them and tinky-winky. Think they hesitate a second?

Or consider my experience. I recently started a new job, and was issued a desktop computer configured by the company's internal group responsible for hardware & networking. The Internet Explorer configuration on this box came set up to accept all ActiveX content, without even putting up the prompt! So in the first week, I'm surfing around, trying to do some research for my first project, and what should I run into but the Xupiter trap.

Now Xupiter, if you haven't had the misfortune to become acquainted, is a lame hosting/portal outfit based out of Hungary or some such place, and, without asking, they installed a custom IE toolbar, like the Google toolbar only lame, and set my default home page to their lame home portal page without even asking. I spent the rest of the day hunting down the uninstall procedure. (And of course, I set the IE option to not install ActiveX controls without asking!) Before using this, I surveyed what this little bandit had done. 36 registry changes. This, friends, is malicious, hostile code, delivered by ActiveX.

And so, lately, when I see the prompting dialog to download ActiveX component X from company Y, the hair on the back of my neck stands up in a full-on, fight or flight reaction, much worse than I get from, say, your common & garden Nigerian 419 Scam email.

And the crowning glory in all of these developments was what recently happened to Microsoft itself. They discovered a buffer overflow exploit in an ActiveX control that they publish, themselves. And not just any control, either. This was MDAC 2.6, AKA the Microsoft Data Access Components. This control package implements an object library called ActiveX Data Objects, which just happens to be the main avenue by which visual basic software accesses databases. So, pretty much wherever you find VB business software, you'll find ADO implemented by the MDAC component. Now, this component was properly signed by Microsoft, Inc., and was replicated to mirror sites all over creation. And it has a security hole that would potentially allow an attacker to, as they say once again, "run arbitrary code." Hoo-boy. And to make things even more sublime, patching the hole won't fix the problem. Because tens of millions of web-pages out there have hard-coded references to the buggy version of the component. So you could install the patched version of MDAC, un-install the old, buggy version, but the next time you surfed to a page with a reference to the buggy version, it would just try to download and RE-install the buggy version with the hole all over again! Now, think back: The first time you ever saw one of those dialogs (ALWAYS trust content from Microsoft, Inc...) did you select that? Because if you did, you'll be re-installing the security vulnerability and it won't even ask you about it, it'll just go ahead.

Microsoft's solution? "Microsoft recommends that you remove Microsoft from your list of trusted content providers." I don't mind admitting I had to change my underwear, because I wet the ones I was wearing, I laughed so hard. Ladies & gentlemen of the jury, the prosecution rests. Microsoft's ActiveX idea is, on balance, a bad, bad, bad, bad thing.