ActiveX has long been an IE security hole, and Microsoft has done some work in IE7 to protect against ActiveX attacks. There are hundreds of ActiveX and COM objects in Windows that in IE6 can be invoked from a Web page, without any user opt-in. Many of these are well-known -- for example, using the ActiveX version of Windows Media Player to play videos. But most are not well-known, and some of these lesser-known controls have allowed malware writers to exploit scripting vulnerabilities to attack a PC.

In IE7, several hundred of these objects are disabled by default, rather than enabled by default, as they were in IE6. So if a user visits a Web page that tries to invoke one of the objects, she'll get the familiar security warning, and she will have to actively say she wants to run the control. This increases security because a user has to opt in to run the control. And because so few people will now be vulnerable to these kinds of exploits by default, Microsoft believes that malware authors will largely stop trying to use ActiveX as a security hole. Whether that reasoning will hold up in the real world remains to be seen.

There are exceptions to the tighter opt-in rule in IE7: A handful of the most common ActiveX controls are enabled by default for the Internet Zone in a permissions library. These allowed applets -- Windows Media Player among them -- are widely used and considered to be non-malicious.

Finally, because enterprises often build in-house applications around ActiveX controls, these objects are enabled by default in IE7's Local Intranet Zone security settings.

In addition, says Microsoft, a variety of vulnerabilities have been fixed, such as a VML hole that allowed the VML vector markup language to be used to launch an attack.