News

Internet Explorer To Block Outdated ActiveX Versions

• By Kurt Mackie
• 08/07/2014

ActiveX blocking capabilities will be making their way to Internet Explorer browsers on Aug. 12, according to Microsoft.

That's the date when the new ActiveX blocking capabilities will start to appear for updated IE 8, IE 9 and IE 11 browser versions running on Windows 7 Service Pack 1, as well as IE 10 and IE 11 browser versions running on the Windows 8/8.1 Desktop side. (The blocking isn't happening for IE on the Windows 8 and Windows 8.1 Windows Store Apps ("Metro") side because the Windows Store Apps browser only supports the Adobe Flash Player add-on, but not other add-ons.)

This new ActiveX blocking capability appears to address a long-running complaint against ActiveX -- that it can be a major security vulnerability in itself, both for organizations using IE and for individuals browsing the Web with IE.

The ActiveX Problem
ActiveX is an 18-year-old Windows component that supports applications via installed browser add-ons. People typically become aware of ActiveX when visiting Websites, where pop-up messages ask if they want to install an ActiveX control on their machines to run some applet. That's security measure of sorts. However, it's possible for ActiveX controls to actually be malware instead of something helpful.

Microsoft's protection scheme, for years, has been to get the user to decide whether they trust the publisher of an ActiveX control, but it's possible for users to run legitimate ActiveX controls that are out-of-date and that can be exploited. A malicious Website pushing an ActiveX exploit can install malware, collect user information or set up remote access to a user's computer. Now, Microsoft plans to make Internet Explorer smart enough to tell if the user is encountering such potentially insecure out-of-date ActiveX controls.

With the next IE updates coming next week, the browser will check for a Microsoft hosted file, called "versionlist.xml," for any outdated ActiveX controls, according to Microsoft's announcement. If an outdated control is found, users will get a dialog box with options to update it or run the control.

That approach doesn't differ too much from the current browsing experience except for Microsoft's new approach of maintaining a blacklist of outdated ActiveX controls. For instance, the updated IE browser will block several versions of Java Standard Edition, including versions of J2SE 1.4 and J2SE 5.0, along with versions of Java SE 6, 7 and 8.

Management Controls
Microsoft also added some IT pro management capabilities with the new ActiveX blocking scheme. By default, ActiveX blocking is turned off for "the Local Intranet Zone and Trusted Sites Zone." That allows organizations with intranets to continue to use older internal business apps that depend on out-of-date ActiveX controls.

In addition, IT pros can control how ActiveX blocking works via four new Group Policy settings. Microsoft described the new settings as follows:

• "Turn on ActiveX control logging in Internet Explorer" (IT pros can build a list and see which ActiveX controls are compatible with IE's Enhanced Protected Mode security feature)
• "Remove Run this time button for outdated ActiveX controls in Internet Explorer" (prevents users from overriding the dialog box suggestions and bypassing outdated ActiveX controls)
• "Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains" (allows for specific domain management)
• "Turn off blocking of outdated ActiveX controls for Internet Explorer" (disables the whole ActiveX blocking scheme, if wanted, although Microsoft doesn't recommend doing that)

The move by Microsoft to add this ActiveX blocking capability appears to be adding some long-needed protections for the general Internet-browsing public. At the same time, Microsoft is addressing business needs.

"We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today," Microsoft's announcement explained.

The ActiveX blocking feature will start to appear on updated browsers on Aug. 12, but technical documentation about the new feature will be available earlier, on Aug. 7, at this page. Microsoft's announcement also indicated that updated IE administrative templates will be available for Windows Server 2003 here, as well as for Windows Server 2008 and newer versions at this page.