micro$not, mshtml, and activex

back in the dark ages, when i was working at STLabs, before we moved to factoria (i.e. STLabs… so, what? maybe 1995? 1996? somewhere in there), i was testing Internet Explorer version 3.0, which meant, basically, that i was testing micro$not’s browser engine, which is called MSHTML.dll. at the time, a very good friend of mine from college, saint fred (now, sadly, passed on) was mucking about with the innards of micro$not’s operating system, and discovered a problem which had existed for several years prior to this, which micro$not had “made disappear” by changing the technology’s name from OLE — which was, itself, a “renamed” technology, originally called Visual Basic for Applications, or “VB-A” — to “ActiveX”, and, in the process of making it “disappear”, actually made it more prevalent and insidious, by making it work seamlessly with even more micro$not technology.

and, saint fred being who he was, took advantage of this by writing the “Exploder Control”, which could be embedded in a web page, or a microsoft document, and would, when “activated”, perform a clean shutdown of the computer on which it was being viewed… whether you wanted to shut down your computer, or not.

you hit this web page, and, within seconds, your computer shuts down, with no further input from you. 😏


you open this microsoft word document, and, within seconds, your computer shuts down, with no further input from you. 🤣

i watched it happen as it first came out, before anybody realised what it was. it was hillarious! i gave the URI for the exploder control to my boss, and then went back to my workstation and listened, as she suddenly whined “it shut down my computer!” 🤣🤣🤣

and, of course, micro$not’s response to this was to threaten saint fred with lawsuits for doing stuff he shouldn’t have been doing, and when that didn’t work (because fred made sure that the exploder did everything strictly “by the book”, including getting micro$not’s signature on the control), they made the exploder control something that was detected by their anti-virus software (even though it was very clearly NOT a virus, and, actually, did everything totally “by the book”, something to which micro$not never admitted), and, once they figured out that they had caused all of this, they pulled their signature on the control, so that it raised even more red flags before actually activating it…

and, basically, did everything EXCEPT fix the problem, which, after a few months of frantic ass-covering by micro$not’s marketing department, while the tech industry had a good laugh, got swept under the rug, anyway, by more current micro$not fiascos.

but the technology remained, and every version of windows has support for activex, every version of MSHTML.dll has support for activex (which is one of the reasons micro$not got rid of MSHTML.dll a couple years ago, and current versions of Internet Exploder… um… what’s their browser called again? EDGE, that’s it… uses google’s “chrome” browser engine, instead. the browser wars are over! micro$not LOST!) and you can, literally, do ANYTHING with activex, that you could do from the normal user interface of windows, and there is, literally, NOTHING stopping you from doing this — or other, more nefarious things — given A LITTLE knowledge of the technology.

which is why, when i saw this headline: Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft the FIRST THING i thought was “Exploder Control strikes again!”

this is one of the VERY BIG reasons i do not use micro$not on my computers. i don’t even have my microsoft 5-button mouse any longer!

i wonder if they’ll ever learn. 🙄

Continue reading micro$not, mshtml, and activex