Stathakopoulos defended ActiveX, but acknowledged that it was impossible for Microsoft to police its technology. "You have to enable [add-on] development for the browser," he said. "The question is, how do you extend the browser and at the same time provide guidance to developers on how to write secure [ActiveX controls]?" he said.
The problem is especially evident in China, whose users accounted for 47 percent of all victims of browser-based attacks during the first half of 2008, according to Microsoft. Stathakopoulos blamed Chinese developers for contributing to the ActiveX issue. "I think it's a combination of developers who don't have good security discipline, and [the Chinese market] being a very large target," he said, explaining why Microsoft thought China was particularly hit hard by browser attacks.
US users accounted for 23 percent of all victims of browser-based exploits.
Microsoft is doing more to help developers write more secure code, Stathakopoulos said. In September, the company unveiled a for-fee program, dubbed "SDL Pro Network," where service provider partners consult with businesses to help them apply Microsoft's Security Development Lifecycle practices. Microsoft will also release a pair of free-of-charge tools distilled from its SDL work this month.
He also argued that the company's work to lock down ActiveX in IE was paying off. IE7, for example, blocks many ActiveX controls by default, and requires the user to explicitly agree to their operation. The still-in-beta IE8, meanwhile, has introduced additional ActiveX security features, including the ability to restrict controls to specific domains -- an enterprise intranet, for example.
Symantec's report earlier this year, however, disputed the idea that Microsoft's efforts had done much good. IE7, said Symantec in April, had not had a significant impact on the number of ActiveX vulnerabilities.
"We're going to try to help third-party developers write more secure code," said Stathakopoulos. "But it will be a long, drawn-out problem."
Microsoft's most recent security report can be downloaded from the company's site.