In this blog post, we will look at why ActiveX technology still remains in our web environment and the security issues and inconveniences it causes.

ActiveX: Why are we still stuck with this outdated technology?

A long time ago, South Korea experienced an unprecedented situation in which the computer networks of major broadcasters such as KBS, MBC, and YTN, as well as the National Agricultural Cooperative Federation and Shinhan Bank, were simultaneously paralyzed. The central server went down, computers stopped working, and even rebooting was impossible, leaving everything in a state of total paralysis.
Broadcasters suffered huge disruptions to their live news and radio programs, and reporters, producers, and writers were seen carrying manuscripts and documents around with them. ATMs and internet banking services at major banks were also paralyzed, and card payments became impossible. It took nine hours to restore the computer network, and thousands of computers were directly damaged in this large-scale incident.
At the time, North Korean hackers were suspected to be behind the cyberattack, but a hacker group called “Whois” claimed responsibility, and the incident was closed. However, a more serious problem was the technical route used to hack into the system. The route used in the attack was an ActiveX-based security program called “XecureWeb.”
At the time, XecureWeb was an essential security program that had to be installed in order to use certified digital certificates for internet banking and public institution websites in Korea. However, when this program was installed, malicious code was also installed, and this malicious code became the key gateway for large-scale cyber attacks. This was not a simple security program flaw, but a disaster caused by structural vulnerabilities in ActiveX technology itself.

What is ActiveX?

ActiveX is a technology developed by Microsoft that allows websites to run various applications such as document editing, multimedia execution, file downloads, and security functions, in addition to existing simple text-based content. However, as ActiveX began to be used to implement security functions on websites, the web environment in Korea became overly dependent on ActiveX. The problem is that this technology is not an international standard.

International Standard Security Method: SSL/TLS

SSL (Secure Sockets Layer) is widely used as the global web security standard, and its successor, TLS (Transport Layer Security), is currently in widespread use. This method encrypts data between the user’s browser and the website to ensure secure transmission, and is indicated by the address “https://” and a padlock icon.
SSL/TLS certificates are issued by internationally recognized certification authorities (CAs), and browsers automatically verify the authenticity of these certificates. However, ActiveX-based security methods do not comply with these international standards. Websites install ActiveX on their own, causing users to hand over sensitive information without any official authentication process.
Ultimately, users cannot verify whether a website is genuine or secure, which can lead to phishing or malware infection.

ActiveX security issues: an ongoing threat

ActiveX requires administrator privileges for installation and has a structure that allows attackers to plant malware, viruses, and spyware through the program.
If antivirus software fails to detect it, the user’s computer may become infected and turn into a zombie PC that causes DDoS (distributed denial of service) attacks on the entire computer network. The problem is that even if users are aware of the risk, websites force them to install ActiveX. Some sites are designed so that users cannot use the service without installing it.
Even if the user’s computer already has a firewall or antivirus software installed, the website will still require the installation of its own security program (ActiveX). This actually weakens security.
In addition, ActiveX-based security programs have the ability to monitor the user’s system. This includes monitoring keyboard input, checking antivirus activity, and monitoring the network. Although this is done in the name of user protection, it can also lead to personal information leaks and privacy issues.

Inefficiency and inconvenience: deterioration of user experience

ActiveX does not have integrated standard specifications, so each site requires the installation of different programs. ActiveX installed on a bank site cannot be used on other shopping malls or government agency sites, so users must install multiple programs with the same functionality. If the versions are different, the same program must be installed again, which is inconvenient.
Furthermore, the page is often reset during installation, causing all the information entered to be lost. This is very frustrating for users and seriously undermines the reliability and accessibility of the digital environment.

Why don’t Chrome, Firefox, and Safari work?

ActiveX only works on Microsoft’s Internet Explorer (IE). However, Google Chrome, Safari, Microsoft Edge, and Mozilla Firefox are currently the mainstream browsers worldwide.
Even Microsoft officially ended support for Internet Explorer in June 2022 and has now completely switched to Edge.
However, due to the influence of ActiveX, Korea’s web structure has become IE-centric, causing inconvenience to users of browsers such as Chrome and Safari when accessing websites. This has contributed to the isolation of Korea’s web environment from international standards.

Incompatibility with the mobile era

With the rapid growth of mobile and tablet use, mobile accessibility and compatibility are essential for websites. However, ActiveX is a PC-based technology and does not work in mobile environments. In order to use banking, payment, and government services on smartphones, users must install separate apps, which are often incompatible with ActiveX. This structure is completely contrary to the mobile-first era.

Why are we still using a technology that has already been abandoned?

Microsoft recognized the security vulnerabilities and limitations of ActiveX and has already discontinued technical support. ActiveX does not work at all on browsers included in the latest Windows operating systems. Even so, some websites in South Korea still rely on ActiveX. Why is that?
There are complex interests at play between government agencies and certain security companies. This is because there are still significant profits to be made from fees for issuing public certificates, security solution contracts, and maintenance costs. However, recently, both the government and the financial sector are actively promoting the revision of the Electronic Signature Act and the transition to web standards with the aim of abandoning ActiveX. Since the abolition of the mandatory use of public certificates in 2020, various methods such as simple authentication, biometric authentication, and OTP have been introduced, and the web security environment is rapidly improving.

Conclusion: When to abandon the legacy of the past

We must no longer cling to the outdated technology of ActiveX. It is vulnerable to security threats, causes inconvenience to users, and has become an obstacle to technological advancement. Adhering to web standards is the way to keep pace with global IT trends and ensure the digital sovereignty and safety of citizens.
The government, related organizations, and private companies must all work together to create a more open and secure web environment by quickly phasing out ActiveX. That is the true beginning of digital transformation.