According to a report in Computerworld this morning, Symantec has said ActiveX controls caused nearly all browser plug-in vulnerabilities in the second half of 2007.

Click to enlarge

The company said that Microsoft’s technology, which is used to create add-ins for Internet Explorer, accounted for some 79 per cent of the 239 plug-in bugs discovered between July and December last year.

In comparison, the next-highest number of flaws was from Apple’s QuickTime, which scored just 8 per cent of the total.

And only one vulnerability was found in a plug-in for Mozilla’s Firefox browser – or about 0.4 percent of all detected flaws.

 
Symantec said that this result was due to several factors, including the availability of tools that hackers use to exploit input vulnerabilities in the controls.

The 2006 launch of IE7, which Microsoft claimed was much more secure than its predecessors, hasn’t had much of an impact on the number of ActiveX vulnerabilities, the Symantec report said.

In the second half of 2007, Symantec said it detected 190 ActiveX vulnerabilities, down about 10 per cent from the 210 found in the first six months of that year.

And ActiveX’s problems haven’t improved this year either. In February, for example, a wave of vulnerabilities in several high-profile ActiveX controls prompted the US Computer Emergency Readiness Team (US-CERT) to recommend that users disable all IE plug-ins.

Other plug-ins where Symantec found vulnerabilities included Java (13 flaws detected), Adobe’s Flash (11), Microsoft’s Windows Media Player (4) and Adobe’s Acrobat Reader (1).