News

Microsoft Holds Back on Out-of-Date ActiveX Blocking Until September

Microsoft's new security protection feature for Internet Explorer that blocks older installations of ActiveX will now start to take effect on Sept. 9, instead of the earlier announced Aug. 12 date, and it will only block Oracle Java ActiveX for now.

The new security feature, known as "out-of-date ActiveX control blocking," will still arrive as part of an update to IE browsers on Aug. 12. However, the blocking effect won't kick in until Tuesday, Sept. 9, according to an addendum (dated Aug. 10) to Microsoft's original announcement.

Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.

It's not exactly clear what customer feedback caused Microsoft to delay the out-of-date ActiveX blocking, although an updated FAQ accompanying Microsoft's original announcement stated that it was done "in order to give customers time to test and manage their environments."

One new addition to the FAQ explains that the out-of-date ActiveX control blocking feature will become available for IE browsers through the "August Internet Explorer Cumulative Security Update" on Aug. 12, which likely means that it will arrive as part of Microsoft's general patch Tuesday security bulletin release, rather than as a separate download. Microsoft keeps a list of outdated ActiveX controls in a file called "versionlist.xml." That versionlist.xml file will be downloaded by IE browsers "within 12 hours of installing the August Cumulative Update and starting Internet Explorer."

Another new piece of information that was added to Microsoft's FAQ is that "only out-of-date Oracle Java ActiveX controls will be blocked by this feature" in September. However, Microsoft plans to consider blocking other out-of-date ActiveX controls in its future IE update releases.

Microsoft's technical documentation about the new blocking capability still seems to be somewhat thin at this date. However, Microsoft indicated it's planning to release new TechNet documentation and Group Policy administrative templates on Aug. 12.

In addition to using four new Group Policy additions or administrative templates to manage the ActiveX blocking feature, it's possible to disable it for specific domains or disable it entirely by making some Registry changes. Microsoft's amended FAQ lists the Registry settings to make in such cases.

Update: Microsoft offers more comprehensive advice and links for getting the new administrative templates for Windows Server 2003, as well as Windows Server 2008 versions and up, in this blog post.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.