Microsoft Planning To Block Outdated Flash ActiveX in IE 11
Microsoft announced this week that it's planning to initiate a new limited-time blocking scheme for out-of-date Adobe Flash ActiveX used in its Internet Explorer 11 browser.
The Adobe Flash ActiveX blocking process only will be in effect for IE 11 browsers running on Windows 7 Service Pack 1 or Windows Server 2008 R2. It won't affect organizations using newer Windows operating systems. In addition, the blocking doesn't affect Adobe Flash ActiveX when it's run using "the local Intranet Zone or the Trusted Sites Zone" of IE 11, according to Microsoft's announcement.
The blocking will take place over a one-month period. It will start on Oct. 11, but Microsoft plans to end it on Nov. 10, 2016.
Clearly, blocking older and potentially insecure Adobe Flash ActiveX use can only be a benefit for organizations using IE 11 on Windows 7. Adobe Flash ActiveX is used by browsers to provide applications support, but using outdated versions of it constitutes a notorious security risk.
It turns out that Windows 7, unlike Windows 10, doesn't necessarily update Flash automatically. Users can use Adobe's Flash updating system instead, and some people going that route have disabled it. Microsoft and Adobe think that a one-month blocking period will be sufficient time to alert users to install the needed Flash updates or to turn on automatic updating for Flash.
Here's how a Microsoft spokesperson explained that rationale, via an e-mail:
We partner closely with Adobe to ensure that it is easy for users to continue running on a current and safe version of Adobe Flash. On Windows 10, this happens automatically through Windows Updates for both Internet Explorer and Microsoft Edge; but for Windows 7 SP1 and Windows Server, Adobe offers the ability for users to stay current through Adobe's updating services. While most users stay up to date, a subset of users may have inadvertently disabled these automatic updates, putting their systems at unexpected risk. We are confident that the majority of these users can be alerted by November 11th, giving them the opportunity to update to a current version and switch to automatic updating moving forward. Together with Adobe we will continue to evaluate the effectiveness of this effort.
The blocking scheme is also limited in how often it will alert users. IE 11 will only send an alert "once per tab process," according to Microsoft's announcement. "All subsequent out-of-date Flash ActiveX controls will be allowed," it explained.
In addition, Microsoft is limiting its blocking scheme to users of the "Local Administrators group on the PC." Organizations can make the blocking apply to all users by performing a registry edit, as described in Microsoft's announcement.
When blocked, users will get the following notice in IE 11, saying that the "Flash Player was blocked because it is out of date and needs to be updated:"
The blocking process will be in effect for Adobe Flash Player versions older than version 126.96.36.199, as well as "Adobe Flash Player Extended Support Release version 188.8.131.52," as described here.
Microsoft has rolled out such blocking approaches before. Two years ago, it established an IE blocking process for outdated Oracle Java ActiveX controls, using a similar alert method. It also established a process to block outdated Silverlight plug-ins in IE around that time.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.