Another analyst claims 89 per cent of browser and web vulnerabilities are related to ActiveX, he says. ActiveX is a component object model for Windows platforms and is also a prevalent form of Internet Explorer plug-in, so it's clearly not possible to ban it totally. Applications based on it can be launched from web pages.
At the very least, says Montgomery, people should insist that all ActiveX control objects are digitally signed, testifying to their source and the fact they haven't been interfered with.
Naturally, there is a role for company policies in trying to instill good practice here -- such as banning the loading of unknown software, and the connection of devices to the company network after they have been outside. However, this offers no guarantees.
"It's easy to say, 'just educate the end-users'. But, year after year, end-users who have been 'educated' will still open an email from someone they don't know and click on an executable attachment."
Here again, Web 2.0 has worsened the situation, tying up online content with users' real-world reputations. For example, a lot of people receiving an email with the heading, "Saw you last night on YouTube" wouldn't be able to resist following the link, he says.
Montgomery, who is based in Washington DC, is on a tour of Australia and New Zealand, conducting seminars on the characteristics of today's malware and the precautions available to protect against it.