Feedback Friday Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft to Block Outdated ActiveX Controls in Internet Explorer

In an effort to provide an enhanced level of protection to Internet Explorer users, Microsoft has decided to introduce a new feature that’s designed to block ActiveX controls that are out of date, the company announced on Wednesday.

In an effort to provide an enhanced level of protection to Internet Explorer users, Microsoft has decided to introduce a new feature that’s designed to block ActiveX controls that are out of date, the company announced on Wednesday.

ActiveX controls, which are basically add-ons for Internet Explorer, are needed to access and interact with certain types of content. Two of the most common ActiveX controls are Flash Player, which is used to load videos and games, and Java, which is often required to run applications.

While these controls are highly useful, they contain vulnerabilities that enable cybercriminals to compromise computers. Such security holes can be leveraged by malicious websites to install software, collect information, and allow a remote attacker to take control of the affected device.

That’s why Microsoft has decided to introduce a new security feature called “out-of-date ActiveX control blocking.”

The feature will be launched on August 12 with this month’s Patch Tuesday updates, and it’s designed to work with Internet Explorer 8 through 11 on Windows 7 SP1, and Internet Explorer for desktops on Windows 8 and up. Organizations can also put it to good use because it works with managed environments as well.IE Active X Blocking

When the system detects an outdated ActiveX control, it blocks it and notifies the user. The notification bar, which differs based on the Internet Explorer version, allows users to update the component, run it only once, and learn about the risks. The feature can also detect when a webpage tries to launch an outdated application outside the Web browser.

Controls are blocked based on a list included in a file named versionlist.xml, which is constantly updated by the company.  versionlist.xml is a Microsoft-hosted file that’s downloaded to the local machine by Internet Explorer.

To begin with, only older Java versions will be flagged, but other out-of-date ActiveX controls will be added to the list in the future. Starting with August 12, users will be notified when websites load J2SE 1.4 prior to update 43, J2SE 5.0 prior to update 71, Java SE 6 prior to update 81,  Java SE 7 prior to update 65, and Java SE 8 prior to update 11.

As far as managed environments are concerned, the feature doesn’t block any controls in the Local Intranet Zone and Trusted Sites Zone to ensure that intranet sites and trusted line-of-business apps are not disrupted.

“Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether,” Microsoft said in a blog post.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.