In response to customer concerns, Microsoft won't start blocking ActiveX controls in IE until September.
Geek's Guide To NYC Travel: Interop Preview
(Click image for larger view and slideshow.)
Microsoft has delayed its plans to block out-of-date ActiveX controls in Internet Explorer (IE). Originally slated to take effect this week, the change will now go live on the company's next "Patch Tuesday," which falls on September 9. Microsoft altered its plans following customer complaints, one of several recent instance in which user feedback has visibly affected the company's actions.
In a blog post, Microsoft confirmed that the ActiveX blocking feature was included in the August IE Cumulative Security Update, but that it will not block any content for thirty days. ActiveX controls are add-ons that allow websites to display certain types of content, such as animations, and various interactive features. Not all ActiveX controls are kept up-to-date, however, and even among those that have been updated, current versions don't always find their ways to users. Microsoft plans to block old ActiveX controls because cybercriminals can exploit unpatched flaws to spy on the user, install malware, or even remotely take control of the machine.
Microsoft's ActiveX control blocking will display a security warning if a webpage attempts to launch specific outdated apps outside of IE.
Microsoft originally indicated it would widely block out-of-date Active X controls, but when it announced this week that it had postponed its plans, the company said it will deny only Oracle Java ActiveX -- at least for now. "We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list," the company said in a second blog post.
Microsoft regularly tracks exploit kit-related flaws and other potential security risks. According to the company's Security Intelligence Report, in 2013, Java vulnerabilities accounted for 84.6% to 98.5% of the company's monthly exploit kit-related detections.
Microsoft acknowledged that it delayed its ActiveX plans due to customer feedback, but aside from stating that the revised timeline "gives customers time to test and manage their environment," the company did not elaborate on user concerns it has received.
Microsoft said its blocking efforts will be deactivated in the Local Intranet Zone and Trusted Sites Zone, which should mitigated problems for businesses that use intranet sites and line-of-business apps that rely on ActiveX controls. Microsoft noted that some customers may want "more granular control" and said several new Group Policy settings will provide expanded utility, including the ability to disable ActiveX blocking.
Microsoft says that once implemented, ActiveX blocking will inform the user when IE prevents a Web page from loading due to an outdated control. It will still allow the user to interact with parts of the site unaffected Active X. When possible, it will also update old, potentially vulnerable controls.
ActiveX control blocking will work with IE 8 to 11 on Windows 7 and later, and IE 8 to 11 on Windows Server 2008 and later. Blocking will impact all security zones except the Local Intranet Zone and the Trusted Sites Zone.
Microsoft's decision to delay ActiveX blocking is one of several recent instances in which the company has been responsive to customer concerns. The company originally said that enterprise customers using Windows 8.1 would have to upgrade by June to Windows 8.1 Update, but later extended the deadline to August, for example. When a potential Windows XP vulnerability emerged shortly after the OS's support deadline, Microsoft also gave XP customers a one-time security fix.
The company has additionally delivered a number of feature updates based on user requests, from adding printing capabilities to Office for iPad, to adding a way to disable the Surface Pro 3's Start button, which some users find easy to accidentally press when the device is in tablet mode. Microsoft's responsiveness is admirable, but many customers are probably wondering when they'll see the changes they really want -- like the restored Start menu that was originally slated for this year, but might not appear until Windows 9.
In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.
Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Cybersecurity Strategies for the Digital EraAt its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.