Internet Explorer begins blocking out-of-date ActiveX controls

Page 1 of 2 12 LastLast

    Internet Explorer begins blocking out-of-date ActiveX controls


    Posted: 06 Aug 2014
    As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls. ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.

    For example, according to the latest Microsoft Security Intelligence Report, Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013. These vulnerabilities may have been fixed in recent versions, but users may not know to upgrade. To help avoid this situation with ActiveX controls, an update to Internet Explorer on August 12, 2014 will introduce a new security feature, called out-of-date ActiveX control blocking.

    Out-of-date ActiveX control blocking lets you:

    • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
    • Interact with other parts of the Web page that aren’t affected by the outdated control.
    • Update the outdated control, so that it’s up-to-date and safer to use.
    • Inventory the ActiveX controls your organization is using.


    We wanted to share some guidance ahead of next week’s update, to help you understand this feature and decide the best course of action. If you are an end user and see the notification bar, we suggest updating to the latest version. If you are an IT Pro, you can decide how to implement this feature.

    Supported Configurations

    The out-of-date ActiveX control blocking feature works with:

    • On Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
    • On Windows 8 and up, Internet Explorer for the desktop
    • All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone


    This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.

    What does the out-of-date ActiveX control blocking notification look like?

    It is important to note that, by default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to this, depending on your version of Internet Explorer:

    Internet Explorer 9 through Internet Explorer 11

    Internet Explorer 8

    From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version. Optionally, in managed environments, IT can configure the feature to block—and not just warn—a user from running out-of-date ActiveX controls.

    Out-of-date ActiveX control blocking also gives you a security warning that tells you if a Web page tries to launch specific outdated apps, outside of Internet Explorer:



    How does Internet Explorer decide which ActiveX controls to block?


    Internet Explorer uses a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file. We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list.

    As of August 12, 2014, this feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls:

    • J2SE 1.4, everything below (but not including) update 43
    • J2SE 5.0, everything below (but not including) update 71
    • Java SE 6, everything below (but not including) update 81
    • Java SE 7, everything below (but not including) update 65
    • Java SE 8, everything below (but not including) update 11


    You can view Microsoft’s complete list of out-of-date ActiveX controls at Internet Explorer version list.

    Out-of-date ActiveX control blocking for managed environments

    Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether.

    To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

    • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
    • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
    • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
    • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.


    Please see the complete technical documentation here, pending publication on August 7. Starting on August 12, you can also download updated Internet Explorer administrative templates from:

    • Windows Server 2003.*Download the complete set of (English only) Internet Explorer administrative templates, which include the new settings, from*here.
    • Windows Server 2008 and up.*Download the complete set of Internet Explorer administrative templates, which include the new settings, from here.


    Stay up-to-date with Internet Explorer


    We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online. This is another example of delivering on the promise to help get users current with a safer, more secure Internet Explorer.

    — Fred Pullen, Senior Product Manager, Internet Explorer

    — Jasika Bawa, Program Manager, Security

    More...
    Brink's Avatar Posted By: Brink
    06 Aug 2014



  1. Posts : 4,566
    Windows 10 Pro
       #1

    Wow!! It took them long enough. Congrats Microsoft. I mean it. Thank you for doing this.

    I gotta admit, IE is getting much better with security.
      My Computer


  2. Posts : 20,583
    Win-7-Pro64bit 7-H-Prem-64bit
       #2

    Yep well it would be nice if Microsoft added to the taskbar popup "Never Run" along with the other two options,
    It's pitiful now especially for Oracle toolbox garbage alert to Allow or Once needs Never.
      My Computer


  3. Posts : 568
    Windows 7 64-bit, Windows 8.1 64-bit, OSX El Capitan, Windows 10 (VMware)
       #3

    MS may fall on the other side of the horse, um security, and most people could move to Chrome/Firefox. Initially, people may not put up with the new restriction, especially the ones who never/seldom updated their apps...

    The Active-X control blocking will work with IE8 and up, running on W7 SP1. Interestingly, this feature will not be available for Vista with IE8; is MS abandoning/stopping support for Vista?
      My Computer


  4. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #4

    I think it's great that Microsoft keep adding security to their products.

    They are little slow at times but one should keep in mind their testing must be more in depth because unlike many other products Microsoft products will effect Billions of computers.
      My Computer


  5. Posts : 167
    Windows 7 x64 Home Premium SP1
       #5

    Cr00zng said:
    The Active-X control blocking will work with IE8 and up, running on W7 SP1. Interestingly, this feature will not be available for Vista with IE8; is MS abandoning/stopping support for Vista?
    Windows Vista is very old. It's almost ancient. Vista is also in the extended support phase, so there won't be any new features for Vista. Same with Windows 7, it will enter extended support phase soon, so don't expect any new features for Win 7 after that.
      My Computer


  6. Posts : 4,566
    Windows 10 Pro
       #6

    This is why support for vista was not added. Its in extended support phase, windows 7 is not-yet

    http://windows.microsoft.com/en-us/windows/lifecycle

    Windows 7 is still in mainstream support. Vista is not. This means when the public demands new features, or in the interest of better security features can be added to products that are in mainstream support.
      My Computer


  7. Posts : 53,363
    Windows 10 Home x64
       #7

    Now even Internet Explorer will throw lousy old Java into the abyss


    Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it's got its eye set squarely on Java.

    Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure.

    The change mirrors similar features found in competing browsers, including Chrome and Firefox, both of which already block out-of-date and unsafe plugins.

    Microsoft will maintain the list of verboten ActiveX controls itself and will update it as new versions are released or new vulnerabilities are uncovered.

    What's interesting, though, is that when the blocking feature launches later this month, Redmond's blacklist will consist of but a single culprit: Oracle's Java ActiveX control.
    Source

    A Guy
      My Computer


  8. Posts : 20,583
    Win-7-Pro64bit 7-H-Prem-64bit
       #8

    Can't think of a better top of the list Block than Java
    Even if the list never grows
      My Computer


  9. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #9

    Oracle has had more than enough time to fix the security risk in Jave.

    Microsoft, Firefox, Google Chrome had to do something because Oracle can't or won't fix the security problems.
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 04:05.
Find Us