August 6th, 2014
As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls. ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.
For example, according to the latest Microsoft Security Intelligence Report, Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013. These vulnerabilities may have been fixed in recent versions, but users may not know to upgrade. To help avoid this situation with ActiveX controls, an update to Internet Explorer on August 12, 2014 will introduce a new security feature, called out-of-date ActiveX control blocking.
Out-of-date ActiveX control blocking lets you:
- Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
- Interact with other parts of the Web page that aren’t affected by the outdated control.
- Update the outdated control, so that it’s up-to-date and safer to use.
- Inventory the ActiveX controls your organization is using.
We wanted to share some guidance ahead of next week’s update, to help you understand this feature and decide the best course of action. If you are an end user and see the notification bar, we suggest updating to the latest version. If you are an IT Pro, you can decide how to implement this feature.
The out-of-date ActiveX control blocking feature works with:
- On Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
- On Windows 8 and up, Internet Explorer for the desktop
- All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone
This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.
What does the out-of-date ActiveX control blocking notification look like?
It is important to note that, by default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to this, depending on your version of Internet Explorer:
Internet Explorer 9 through Internet Explorer 11
Internet Explorer 8
From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version. Optionally, in managed environments, IT can configure the feature to block—and not just warn—a user from running out-of-date ActiveX controls.
Out-of-date ActiveX control blocking also gives you a security warning that tells you if a Web page tries to launch specific outdated apps, outside of Internet Explorer:
How does Internet Explorer decide which ActiveX controls to block?
Internet Explorer uses a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file. We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list.
As of August 12, 2014, this feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls:
- J2SE 1.4, everything below (but not including) update 43
- J2SE 5.0, everything below (but not including) update 71
- Java SE 6, everything below (but not including) update 81
- Java SE 7, everything below (but not including) update 65
- Java SE 8, everything below (but not including) update 11
You can view Microsoft’s complete list of out-of-date ActiveX controls at Internet Explorer version list.
Out-of-date ActiveX control blocking for managed environments
Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether.
To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.
- Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
- Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
- Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
- This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled” with value of zero.
Please see the complete technical documentation here, pending publication on August 7. Starting on August 12, you can also download updated Internet Explorer administrative templates from:
- Windows Server 2003. Download the complete set of (English only) Internet Explorer administrative templates, which include the new settings, from here.
- Windows Server 2008 and up. Download the complete set of Internet Explorer administrative templates, which include the new settings, from here.
Stay up-to-date with Internet Explorer
We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online. This is another example of delivering on the promise to help get users current with a safer, more secure Internet Explorer.
Finally, thank you to the Java engineering team for partnering with us on delivering this feature. This partnership shows that the Java and IE goals are the same regarding keeping users up-to-date and secure!
— Fred Pullen, Senior Product Manager, Internet Explorer
— Jasika Bawa, Program Manager, Security