ActiveX controls accounted for an overwhelming majority of all browser plug-in vulnerabilities in the second half of 2007, Symantec Corp. said this week in its semi-annual Web security report.