Re: Viruses and verified security holes
The long list of viruses that can transport themselves using ActiveX, and the long list of security holes that ActiveX is known to leave people open to is reason enough to not write home about its security model.
I'd like to see that "long list". I bet you'll find that very few viruses - if any at all - take advantage of any flaw related to ActiveX. All the recent big ones are simply Trojan-horse executables delivered via e-mail, exploiting nothing more than the ease with which popular e-mail clients allow users to launch attachments.
Corresponding lists for Java are much, much smaller. Yet Java is more widely deployed in browsers than ActiveX!
I doubt it, since Microsoft's JVM is an ActiveX component, as is the browser itself. If you use IE, you use dozens of ActiveX components even if you browse nothing but plain text.
That alone stands as darned good evidence that ActiveX is substantially worse than Java.
Sun took the time and effort to create trusted applets. That stands as darned good evidence that Java's original sandbox model was deeply flawed.
[...] concrete evidence strongly suggests that ActiveX is unhealthy for
your computer.
It may suggest that, but only to people who don't understand the technology. ActiveX is basically two things: native code delivery and embedded execution. In terms of native code delivery, blaming ActiveX for viruses is like blaming the postal service for letters carrying bombs or anthrax. Every argument you can make against ActiveX's native code delivery applies equally well to FTP and HTTP downloads. In fact, signing makes ActiveX safer than the alternatives. As for embedded execution, there's obviously a need; otherwise, Netscape plug-ins would never have been developed. And if you accept that there's a need, you must also accept that ActiveX components are in every way superior to plug-ins - they support component signing, they are way easier to use, and they can be used by other applications.