Microsoft today announced an important Internet Explorer update that will block out-of-date ActiveX controls. It will be released along with the next Windows update and other security updates coming on August 12 (this month’s Patch Tuesday).
The update will let IE use a Microsoft-hosted file (versionlist.xml) to determine whether an ActiveX control should be stopped from loading. Microsoft says it will start by initially flagging older versions of Java, “but over time will add other outdated ActiveX controls to the list.”
By default, users will be warned and given options to update the control or override the warning. Users with outdated versions will get a notification as seen above when trying to load a webpage with an old Java ActiveX control. The best part is that the feature still lets you interact with other parts of the webpage that isn’t affected by the outdated control.
Here is the current list:
- J2SE 1.4, everything below (but not including) update 43.
- J2SE 5.0, everything below (but not including) update 71.
- Java SE 6, everything below (but not including) update 81.
- Java SE 7, everything below (but not including) update 65.
- Java SE 8, everything below (but not including) update 11.
Microsoft justifies choosing Java as the first software to block by pointing to its latest security report, which found Java exploits represented 84.6 percent to 98.5 perent of exploit kit-related detections each month in 2013. While most of these vulnerabilities were fixed in recent versions, most users don’t know, or don’t bother, to upgrade.
For those who don’t know, ActiveX controls are small IE apps that let websites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, ActiveX controls aren’t automatically updated, and thus older versions have security flaws that are often exploited.
In Microsoft’s own words, malicious or compromised webpages can “collect information, install dangerous software, or by let someone else control your computer remotely.” While Microsoft has spent years improving the security of ActiveX, it’s surprising a block list like the one being introduced today hasn’t been implemented sooner.
The out-of-date ActiveX control blocking feature works on:
That last point is important for businesses who use ActiveX in intranet websites and trusted line-of-business apps. Administrators thus have more options: they can turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or disable the feature altogether. More technical details regarding these options will be available at the link below on August 7.