Security Experts:

Microsoft to Block Outdated ActiveX Controls in Internet Explorer

In an effort to provide an enhanced level of protection to Internet Explorer users, Microsoft has decided to introduce a new feature that's designed to block ActiveX controls that are out of date, the company announced on Wednesday.

ActiveX controls, which are basically add-ons for Internet Explorer, are needed to access and interact with certain types of content. Two of the most common ActiveX controls are Flash Player, which is used to load videos and games, and Java, which is often required to run applications.

While these controls are highly useful, they contain vulnerabilities that enable cybercriminals to compromise computers. Such security holes can be leveraged by malicious websites to install software, collect information, and allow a remote attacker to take control of the affected device.

That's why Microsoft has decided to introduce a new security feature called "out-of-date ActiveX control blocking."

The feature will be launched on August 12 with this month's Patch Tuesday updates, and it's designed to work with Internet Explorer 8 through 11 on Windows 7 SP1, and Internet Explorer for desktops on Windows 8 and up. Organizations can also put it to good use because it works with managed environments as well.IE Active X Blocking

When the system detects an outdated ActiveX control, it blocks it and notifies the user. The notification bar, which differs based on the Internet Explorer version, allows users to update the component, run it only once, and learn about the risks. The feature can also detect when a webpage tries to launch an outdated application outside the Web browser.

Controls are blocked based on a list included in a file named versionlist.xml, which is constantly updated by the company.  versionlist.xml is a Microsoft-hosted file that's downloaded to the local machine by Internet Explorer.

To begin with, only older Java versions will be flagged, but other out-of-date ActiveX controls will be added to the list in the future. Starting with August 12, users will be notified when websites load J2SE 1.4 prior to update 43, J2SE 5.0 prior to update 71, Java SE 6 prior to update 81,  Java SE 7 prior to update 65, and Java SE 8 prior to update 11.

As far as managed environments are concerned, the feature doesn't block any controls in the Local Intranet Zone and Trusted Sites Zone to ensure that intranet sites and trusted line-of-business apps are not disrupted.

"Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether," Microsoft said in a blog post.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.