Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Internet Explorer begins blocking out-of-date ActiveX controls

06 Aug 2014   #1

64-bit Windows 10 Pro
Internet Explorer begins blocking out-of-date ActiveX controls

As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls. ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.

For example, according to the latest Microsoft Security Intelligence Report, Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013. These vulnerabilities may have been fixed in recent versions, but users may not know to upgrade. To help avoid this situation with ActiveX controls, an update to Internet Explorer on August 12, 2014 will introduce a new security feature, called out-of-date ActiveX control blocking.

Out-of-date ActiveX control blocking lets you:
  • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
  • Interact with other parts of the Web page that aren’t affected by the outdated control.
  • Update the outdated control, so that it’s up-to-date and safer to use.
  • Inventory the ActiveX controls your organization is using.

We wanted to share some guidance ahead of next week’s update, to help you understand this feature and decide the best course of action. If you are an end user and see the notification bar, we suggest updating to the latest version. If you are an IT Pro, you can decide how to implement this feature.

Supported Configurations

The out-of-date ActiveX control blocking feature works with:
  • On Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
  • On Windows 8 and up, Internet Explorer for the desktop
  • All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone

This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.

What does the out-of-date ActiveX control blocking notification look like?

It is important to note that, by default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to this, depending on your version of Internet Explorer:

Internet Explorer 9 through Internet Explorer 11

Internet Explorer 8

From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version. Optionally, in managed environments, IT can configure the feature to block—and not just warn—a user from running out-of-date ActiveX controls.

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a Web page tries to launch specific outdated apps, outside of Internet Explorer:

How does Internet Explorer decide which ActiveX controls to block?

Internet Explorer uses a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file. We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list.

As of August 12, 2014, this feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls:
  • J2SE 1.4, everything below (but not including) update 43
  • J2SE 5.0, everything below (but not including) update 71
  • Java SE 6, everything below (but not including) update 81
  • Java SE 7, everything below (but not including) update 65
  • Java SE 8, everything below (but not including) update 11

You can view Microsoft’s complete list of out-of-date ActiveX controls at Internet Explorer version list.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.
  • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
  • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
  • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
  • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.

Please see the complete technical documentation here, pending publication on August 7. Starting on August 12, you can also download updated Internet Explorer administrative templates from:
  • Windows Server 2003.*Download the complete set of (English only) Internet Explorer administrative templates, which include the new settings, from*here.
  • Windows Server 2008 and up.*Download the complete set of Internet Explorer administrative templates, which include the new settings, from here.

Stay up-to-date with Internet Explorer

We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online. This is another example of delivering on the promise to help get users current with a safer, more secure Internet Explorer.

— Fred Pullen, Senior Product Manager, Internet Explorer

— Jasika Bawa, Program Manager, Security


My System SpecsSystem Spec
06 Aug 2014   #2

Windows 10 Pro

Wow!! It took them long enough. Congrats Microsoft. I mean it. Thank you for doing this.

I gotta admit, IE is getting much better with security.
My System SpecsSystem Spec
06 Aug 2014   #3

Win-7-Pro64bit 7-H-Prem-64bit

Yep well it would be nice if Microsoft added to the taskbar popup "Never Run" along with the other two options,
It's pitiful now especially for Oracle toolbox garbage alert to Allow or Once needs Never.
My System SpecsSystem Spec

06 Aug 2014   #4

Windows 7 64-bit, Windows 8.1 64-bit, OSX El Capitan, Windows 10 (VMware)

MS may fall on the other side of the horse, um security, and most people could move to Chrome/Firefox. Initially, people may not put up with the new restriction, especially the ones who never/seldom updated their apps...

The Active-X control blocking will work with IE8 and up, running on W7 SP1. Interestingly, this feature will not be available for Vista with IE8; is MS abandoning/stopping support for Vista?
My System SpecsSystem Spec
06 Aug 2014   #5
Layback Bear

Windows 7 Pro. 64/SP-1

I think it's great that Microsoft keep adding security to their products.

They are little slow at times but one should keep in mind their testing must be more in depth because unlike many other products Microsoft products will effect Billions of computers.
My System SpecsSystem Spec
07 Aug 2014   #6

Windows 7 x64 Home Premium SP1

Quote   Quote: Originally Posted by Cr00zng View Post
The Active-X control blocking will work with IE8 and up, running on W7 SP1. Interestingly, this feature will not be available for Vista with IE8; is MS abandoning/stopping support for Vista?
Windows Vista is very old. It's almost ancient. Vista is also in the extended support phase, so there won't be any new features for Vista. Same with Windows 7, it will enter extended support phase soon, so don't expect any new features for Win 7 after that.
My System SpecsSystem Spec
07 Aug 2014   #7

Windows 10 Pro

This is why support for vista was not added. Its in extended support phase, windows 7 is not-yet

Windows 7 is still in mainstream support. Vista is not. This means when the public demands new features, or in the interest of better security features can be added to products that are in mainstream support.
My System SpecsSystem Spec
07 Aug 2014   #8
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
Now even Internet Explorer will throw lousy old Java into the abyss

Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it's got its eye set squarely on Java.

Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure.

The change mirrors similar features found in competing browsers, including Chrome and Firefox, both of which already block out-of-date and unsafe plugins.

Microsoft will maintain the list of verboten ActiveX controls itself and will update it as new versions are released or new vulnerabilities are uncovered.

What's interesting, though, is that when the blocking feature launches later this month, Redmond's blacklist will consist of but a single culprit: Oracle's Java ActiveX control.

A Guy
My System SpecsSystem Spec
08 Aug 2014   #9

Win-7-Pro64bit 7-H-Prem-64bit

Can't think of a better top of the list Block than Java
Even if the list never grows
My System SpecsSystem Spec
09 Aug 2014   #10
Layback Bear

Windows 7 Pro. 64/SP-1

Oracle has had more than enough time to fix the security risk in Jave.

Microsoft, Firefox, Google Chrome had to do something because Oracle can't or won't fix the security problems.
My System SpecsSystem Spec

 Internet Explorer begins blocking out-of-date ActiveX controls

Thread Tools

Similar help and support threads
Thread Forum
How to prevent Windows from blocking ActiveX and add-ons
I'm not sure this is where I need to post this but thought I'd start here. In March we purchased a new computer with Windows 7 Ultimate and also have an older computer with Windows 7 Home Pro. We need to download a couple of add-ons in conjunction with a job we do. One is an ActiveX to view...
Browsers & Mail
ActiveX Controls
What should should my settings in Tools-Internet Options be for the following please: - (1) Allow previous unsused ActiveX controls to run without prompt - Enable or Disable; (2) Allow Scriptlets - Enable or Disable:sarc: Regards,
Browsers & Mail
One or more activex controls could not be displayed because either
Hi. I don't know if this is the right forum for my problem. Anyway, I have a problem with my Windows Services. Each time when I launch Windows Services window, I get a warning: One or more activex controls could not be displayed because either: 1. your current security settings prohibit...
BSOD Help and Support
IE8 Information bar for ActiveX controls
Does anyone know how to turn off the information bar for activex controls when they are being loaded from my own PC? With all the googling and testing I have done, this cannot be done with any Win7 or IE8 settings. This has got to be one of the most irritating pieces of junk I have ever encounted...
Browsers & Mail
Internet Explorer’s ActiveX Security Mitigations in Use

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 17:01.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App