does firefox under ubuntu has something similar to activeX, in terms of security vulnerability?
‘ActiveX’ can be considered in two parts, the object model and the installation method. Firefox has something similar—and cross-platform compatible, Ubuntu or other—for both.
The object model of ActiveX is Microsoft COM; Firefox's equivalent is XPCOM. Many other Windows features and applications that are nothing to do with web browsing use MS COM, and there have traditionally been endless problems where COM controls that were not written for secure web usage were nonetheless available to web pages. This caused many compromises. Firefox is better off here as XPCOM is not shared with the rest of the system. Newer versions of IE have better controls for mitigating what sites are allowed to use what controls.
(As a side-issue, because many add-ons for Firefox are themselves written in JavaScript, a high-level scripting language, they are often more secure from buffer overflow and string handling errors than extensions for IE which are commonly written in C[++].)
The control-downloader part of ActiveX has also been cleaned up a bit since the bad old days when anything in the My Computer zone could install any software it liked, and aggressive loader scripts could trap you in an alert
loop until you agreed to approve the ActiveX prompt. Firefox's equivalent, XPInstall, behaves largely similarly, with the ‘information bar’ on all but Mozilla's sites by default and a suitable warning/prompt before installation.
There is another built-in way you can compromise yourself in Mozilla: signed scripts. I have never seen this actually used, and certainly there'll be another warning window appear before a script gains extra rights, but it kind of worries me that this is available to web pages at all.
for example an exploit through flash will gain access to my pc under my user rights
Yes, the majority of web exploits today occur in plugins. Adobe Reader, Java(*) and QuickTime are the most popular/vulnerable. IMO: get rid of those, and use FlashBlock to only show Flash when you want it.
(*: and Java's dialogues before it lets you give up all security to some untrusted applet is a bit bare too.)
Ubuntu gives you some questionable plugins by default, in particular a media player plugin that will make every vulnerability in any of your media codecs exploitable through the web (similar to the Windows Media Player plugin, only potentially with many more formats). Whilst I have yet to meet an exploit targeting Linux like this, that's really only security through obscurity.
Note that ActiveX itself is no different. A web browser compromise based on ActiveX still only gives user-level access; it's only because prior to Vista everyone habitually ran everything as Administrator that this escalated to a full-on rooting.
and then follow to exploit some known vulnerability in X to gain root rights. that is not "easy".
Maybe, maybe not. But I think you'll find the damage some malware can do from even a normal user account is quite bad enough. Copy all your personal data, observe your keypresses, delete all your documents...
Wayland is supposed to be a complete replacement for X, not an addon, and it addresses the problems which concern you. Note that at the moment Wayland is not production ready and there is limited driver and toolkit support for it.
It seems that Ubuntu does not have any plans to integrate Wayland at the moment, and wants to create its own display server called Mir, which may also address some of your security concerns. Mir is also not ready for general use.
DirectFB is a bare bones solution for embedded systems which gives programs direct access to the video card's framebuffer. It does not have any security mechanisms.
Another solution is not to run a GUI at all.
Best Answer
Open source is not inherently safer. It might be a little bit, due to the following reasons:
This will only marginally make it safer, though, since bugs will still exist and people will be using their powers for Bad rather than Good.
When it comes to Ubuntu and all other Linux distributions, though, fact is that it has been designed from the ground up from a multi-user perspective, with one user being able to make modifications to the system and the rest only being allowed to change what's relevant to them - in Windows this was rather tacked on later on (though probably works pretty well by now (Windows 7)).
Still, one could easily write a virus that removes all of a user's personal files. The biggest reason for there being no virus for Ubuntu, is simply that it has a really, really small market share. Thus, there is little to gain and little incentive for a hacker to go through the extra trouble of supporting Ubuntu when they could just target Windows and gain a lot. That, and users of Linux are often more well-versed technically, so would be less likely to install something of which they do not know what it does (though then again, the absence of viruses may lead them to trust everything they download).
(Then again, Ubuntu's update model, among others, is much better than Windows's, meaning that fixed for vulnerabilities can be distributed far quicker.)