IE increases protections, implements “out-of-date ActiveX control blocking”

Last week, Internet Explorer announced important changes it will be making to better protect customers from cybercriminal attacks.  Beginning on September 9, Internet Explorer will block out-of-date ActiveX controls, such as older versions of the Oracle Java Runtime Environment (JRE) as part of the August 2014 release of MS14-051 Cumulative Security Update for Internet Explorer (2976627).  ActiveX controls are small programs, sometimes called add-ons that are used by web sites to serve up content, like videos and games, and let you interact with content like toolbars.  While ActiveX controls have become increasingly popular over time, many of these applications are neglected or left unpatched for long periods of time potentially leaving people exposed and vulnerable to attack from cybercriminals.  This is because many ActiveX controls that exist today are not automatically updated.

Data from the latest Microsoft Security Intelligence Report provides insight into the scale of this problem.  In 2013, Oracle Java Runtime Environment (JRE) exploits accounted for between 84.6 and 98.5 percent of exploit kit-related detections each month. More details are available in this article: Keeping Oracle Java updated continues to be high security ROI.

Many customers rely on Java based applications that might be affected by this change, so it is strongly recommended that customers test the update and verify that they are running the latest version.

To better protect customers from the risk posed by out of date ActiveX controls, Internet Explorer 8 through Internet Explorer 11 will introduce a new security feature, called out-of-date ActiveX control blocking.  By default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to the below, depending on your version of Internet Explorer:

 Internet Explorer 9 through Internet Explorer 11

Keeping all applications running on your system up to date is a security best practice and ActiveX controls are no exception.  Internet Explorer will use a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading, and this file will be updated with newly-discovered out-of-date ActiveX controls over time. For in-depth information on the security enhancements coming to Internet Explorer designed to better protect you, I encourage you to check out the following resources and create a plan to validate and test your environment prior to September 9:  KB2991000 Update to block out-of-date ActiveX controls in Internet Explorer, the article Out-of-date ActiveX Control Blocking, and the IE Blog post entitled “Internet Explorer begins blocking out-of-date ActiveX controls.”

Tim Rains
Trustworthy Computing

About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »