Internet Explorer begins blocking out-of-date ActiveX controls


As part of our ongoing commitment to delivering a more secure browser, starting September 9th Internet Explorer will block out-of-date ActiveX controls. Note: The original post stated that the ActiveX blocking would begin on August 12th. Please refer to the addendum for further details.

ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.

For example, according to the latest Microsoft Security Intelligence Report, Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013. These vulnerabilities may have been fixed in recent versions, but users may not know to upgrade. To help avoid this situation with ActiveX controls, an update to Internet Explorer on August 12, 2014 will introduce a new security feature, called out-of-date ActiveX control blocking.

Out-of-date ActiveX control blocking lets you:

  • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
  • Interact with other parts of the Web page that aren’t affected by the outdated control.
  • Update the outdated control, so that it’s up-to-date and safer to use.
  • Inventory the ActiveX controls your organization is using.

We wanted to share some guidance ahead of next week’s update, to help you understand this feature and decide the best course of action. If you are an end user and see the notification bar, we suggest updating to the latest version. If you are an IT Pro, you can decide how to implement this feature.

Supported Configurations

The out-of-date ActiveX control blocking feature works with:

  • Internet Explorer 8 through Internet Explorer 11 on Windows 7 SP1 and up
  • Internet Explorer 8 through Internet Explorer 11 on Windows Server 2008 R2 SP1 and up
  • All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone

This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.

What does the out-of-date ActiveX control blocking notification look like?

It is important to note that, by default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to this, depending on your version of Internet Explorer:

Prompt telling user that the page has loaded an out of date ActiveX control in Internet Explorer 9-11.
Internet Explorer 9 through Internet Explorer 11

Prompt telling user that the page has loaded an out of date ActiveX control in Internet Explorer 8.
Internet Explorer 8

From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version. Optionally, in managed environments, IT can configure the feature to block—and not just warn—a user from running out-of-date ActiveX controls.

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a Web page tries to launch specific outdated apps, outside of Internet Explorer:

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of Internet Explorer.

How does Internet Explorer decide which ActiveX controls to block?

Internet Explorer uses a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file. We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list.

As of September 9, 2014, this feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls:

  • J2SE 1.4, everything below (but not including) update 43
  • J2SE 5.0, everything below (but not including) update 71
  • Java SE 6, everything below (but not including) update 81
  • Java SE 7, everything below (but not including) update 65
  • Java SE 8, everything below (but not including) update 11

You can view Microsoft’s complete list of out-of-date ActiveX controls at Internet Explorer version list.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether. For enterprise readiness guidance, please refer to Microsoft Knowledge Base Article 2991000.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

  • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
  • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
  • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
  • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled” with value of zero.

Please see the complete technical documentation here. You can also download updated Internet Explorer administrative templates, including these new settings, from the Administrative Templates for Internet Explorer page.

Stay up-to-date with Internet Explorer

We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online. This is another example of delivering on the promise to help get users current with a safer, more secure Internet Explorer.

Finally, thank you to the Java engineering team for partnering with us on delivering this feature. This partnership shows that the Java and IE goals are the same regarding keeping users up-to-date and secure!

Addendum – 8/10/14

We have received several questions about this update, and would like to clarify these as well as make a quick announcement.

Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.

Below, please find the answers to some frequently asked questions about this update.

FAQ

Which outdated ActiveX controls are covered in this update?

No ActiveX controls will be affected when the feature is initially released in August. In September, only out-of-date Oracle Java ActiveX controls will be affected. All other ActiveX controls will continue existing behavior.

Will this update affect applications which use out-of-date Java outside of Internet Explorer?

No. This feature will only prompt the user when an out-of-date version of Java is loaded as an ActiveX control in Internet Explorer.

Will this update apply to Internet Explorer on server as well as client SKUs?

Yes.

Will this feature be part of the August Cumulative Update or be released as a separate Hotfix?

This feature will be part of the August Internet Explorer Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for thirty days in order to give customers time to test and manage their environments.

Does this feature help protect against active attacks targeting outdated Java controls?

Yes, installing the most current version of the Java runtime significantly improves user security. Additional details on specific CVEs are outlined on the Microsoft Security Blog – “Keeping Oracle Java updated continues to be high security ROI” and in the Microsoft Security Intelligence Report.

Can end users choose to override the prompt if a trusted application requires out-of-date Java use?

Yes, users can choose the “Run this time” option for internet sites requiring out-of-date ActiveX control use.

My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Intranet zone or Trusted Sites zone, will those be affected by this update?

No, sites in the Intranet or Trusted Sites zone will continue to function as usual after applying this update. Intranet websites accessed through fully-qualified a domain name or IP address are considered to be within the internet zone and will be affected by this update. Please see the following knowledge base article for a full discussion and suggested workarounds. In addition, it should be noted that no out-of-date ActiveX controls will be affected for thirty days, in order to give customers time to test and manage their environments.

My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Internet zone, will they be affected?

Out-of-date Java ActiveX controls will not be initially affected, giving customers thirty days to test and manage their environments. After September 9, when end users attempt to load the out-of-date Java ActiveX control, a prompt will be shown to the user (as described in earlier in the post). The end user will be able to click the “Run this time” option to load the out-of-date Java ActiveX control. Once loaded, the Java out-of-date ActiveX control will work as usual.

Can this feature be disabled if my enterprise requires an older version of the Java runtime?

Yes, there are several ways to disable this feature. Microsoft provides updated IE group policy administrative templates which include 4 new group policies to control this feature*. Two of these group policies can be used to disable this feature on a per domain basis or entirely.

If you do not wish to use the group policy administrative templates to disable the feature, you can use the following registry keys that can be set via group policy (the process is described in more detail here and here). All keys can be set in HKLM or HKCU (HKLM will take preference over HKCU).

Policy Registry setting
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
reg add 
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\
Domain" /v contoso.com 
/t REG_SZ /f
Turn off blocking of outdated ActiveX controls for Internet Explorer
reg add 
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" 
/v VersionCheckEnabled /t REG_DWORD /d 0 /f

If none of the above options work, the address of the site which needs to use an out-of-date Java ActiveX control can be added to the Trusted Sites zone.

Can this feature be disabled without administrative access?

Yes. This can be done by deleting any previously downloaded versionlist.xml files and instructing IE to stop updating the XML file. This can be done by running the following commands in a command window:

  1. reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList 
    /t REG_DWORD /d 0 /f
  2. del “%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml”

How does Internet Explorer obtain, update and use the versionlist.xml file?

Supported versions of Internet Explorer will download the initial version of the versionlist.xml file within 12 hours of installing the August Cumulative Update and starting Internet Explorer. The versionlist.xml file will be downloaded from here to: %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml.

Once the file is downloaded the feature will become enabled and Internet Explorer will start blocking out of date Java ActiveX controls in accordance to the data present in the versionlist.xml file. Internet Explorer will then check for updates to this file on a regular cadence. If Microsoft updates the file, Internet Explorer will download a new version of this file. Note that the file will not block out-of-date ActiveX controls for the first thirty days, to give customers time to test and manage their environments.

Can an enterprise disable or override the URL to which a user is taken when the Update button is clicked on the out-of-date ActiveX prompt?

The URL that the user is taken to when the Update button is clicked is stored in the versionlist.xml file and while this URL can be changed in the file any future updates to the versionlist.xml will override those changes.

Is out-of-date Java the only ActiveX control being blocked by this feature in September?

In September, yes, only out-of-date Oracle Java ActiveX controls will be blocked by this feature. However, Internet Explorer will consider blocking additional common, but out-of-date ActiveX controls in future updates.

*Where can I find additional documentation about this feature and the group policy administrative templates?

Additional TechNet documentation and the group policy administrative templates will be available on TechNet and Download Center respectively on 8/12.

— Fred Pullen, Senior Product Manager, Internet Explorer

— Jasika Bawa, Program Manager, Security

Comments (118)

  1. hAl says:

    Will you be blocking controls that are frustrating DEP/ASLR protection in the browser ?

  2. Arnold says:

    MS Internet Explorer should have a popup anytime a program tries to change the default start page or tries to make changes to the Manage Add-ons section. This is a welcomed change, need more!

  3. Yannick says:

    @Arnold – Agree on that! Would be wonderful if Internet Explorer first asks if a program changing browser settings is actualy allowed or not.

    Anyway, nice to see you guys keep improving the secutiry. Keep up the good work!

  4. microsoft lover 1995 says:

    Yay go Microsoft! =D

  5. tour of utah says:

    Live coverage tour of utah using flash plugin does not work in IE11

    tourtracker.tourofutah.com

    ( started from http://www.tourofutah.com/…/live-coverage )

  6. User says:

    Yeah, bring on more popups so that all everyone ever talks about is how to disable them. This will definitely help…. Not. Right now IE is blocking things for our organization and not even Microsoft can figure out what is being blocked and for what reason. Browser is not antivirus/antimalware. Stop pretending that it is and focus on delivering website content.

  7. SwiftOnSecurity says:

    @User You're in a managed environment. This doesn't impact you at all.

    Computer security is an issue that plagues society. Your self-centered view is ridiculous. This is a great improvement.

  8. Tensai says:

    Why give us the link to the administrative templates, if you aren't going to release the updated ones until next week? It would be nice to have them now so we can begin preparing for the update.

  9. NP says:

    How about also prompting the user with a notification to install an activex control if it is not installed? Fore example, what if I don't have Java or Flash and the page I am visiting requires them. It would be nice if I got a notification with a button to automatically install them, without having to search around the Web and possibly installing something else on a malitious website pretending to be Java for example.

    Also, in the current implementation, will the update button download and install the update, or will it take me to the vendor's website on which I would then have to manually find and download and install an executable? If it's the latter case, it's too cumbersome and it will not help that much.

    Automate stuff as much as possible please.

  10. What says:

    What out-of-date ActiveX is?

  11. MR says:

    Great idea, will make my life simultaneously easier and harder! As a developer of a corporate ERP system with many thousands of extranet users, I need to support backwards compatibility (see activeX) and the latest tech. If IE is going to start blocking these backwards compatible activeX controls in the internet zone, I hope they are going to push a little harder to get people (including corporates) off of anything less than IE 10.

  12. NumbStill says:

    @NP –

    The posts says –

    "From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version".

    It will take you to the website, it will not update the control automatically.

  13. rachel says:

    I'm not being funny, but… if security was such a concern to you all, then why the hell are you using IE??

  14. Bugedone says:

    Why not just block all ActiveX controls? They are an abomination that should have been left in the 90s

  15. Yannick says:

    @rachel – Because IE has proven to be the best browser when it comes to blocking malware and is very good at security – better then other browsers – in general.

  16. UK ENTERPRISE says:

    How about some notice before doing it!!! The idea is good, but documentation released 7th and implementation of security update on Aug12th? What person made that stupid decision?

    Most large enterprises are still trying to get apps remediated for Java signing introduced in Update 51 – and Update 65 was only released the other day with Update 67 a bug fix update the week after.

    Java isn't just a patch to deploy, its a whole application.

    I don't remember seeing an advisory that this was coming?

    I hope its a GENERAL update and not rolled into an IE cumulative security update.

    Enterprise environments have testing and change control workflows which shouldn't have to invoke emergency board procedures for this.

    If the group policy settings are in the main IE policy, that's also an issue for a lot of people because of MS deprecating IE Maintenance Mode meaning the template can't just be thrown into AD, especially if you have different IT areas supporting different policies and the central IT function has no control over a couple of areas that self-govern. You have to co-ordinate the change over so they convert to proxy settings to GPO preferences at the same time.

    The process of upgrading from IE8 to IE10/11 can be painful for large organisations as intranet apps written over many years may not work – so that's takes time to get them changed as some may not have readily available recoding support or money has to be agreed from the business to upgrade – that all takes some time. In an ideal world, funding would be available and everyone would change their code to work with new versions ASAP, but this doesn't happen in most organisations.

    Going from IE8 to IE10/11 is quite a step because of the fact that MS have made the browser more stringent to standards, and lost some of the "old IE ways" – hence why there is a pain point for making existing stuff compatible, but once this is done our future upgrades would be easier for newer IE versions.

    I hope the change is a general update rather than lumped into a security update seeing as there hasn't been much time given?

    I guess we will have to rush a GPO Preference out to set the reg key to disable the function.

  17. Julien says:

    @rachel

    Indeed, you're not funny. And your comment makes you look uneducated (regarding to browser security).

    IE has been a pretty secure product for a while (more than Firefox). And with EMET installed it is actually hard to beat!

    Apparently you have not heard the results of this year's Pwn2Own browser hacking contest. Every major web browser was hacked several times. Even ChromeOS!

    IE11 with EMET was the only target to resist despite the highest reward of the contest for anyone pwning it.

    the point is that if you follow good security practices (EMET, EPM, …) IE can provide you a very secure browsing experience.

  18. Julien says:

    @Bugedone

    ActiveX controls are pretty much the same thing as NPAPI controls that Firefox and other web browsers use.

    It doesn't make sense to call them an abomination. It's just a plugin infrastructure that is still needed today to enable content from plugins such as Flash Player, Java, and other plugins that a lot of enterprises still rely on.

    Calling ActiveX an abomination shows that you don't actually know what ActiveX controls are.

  19. NumbStill says:

    @UK ENTERPRISE –

    Regarding upgrading to Internet Explorer 11 – have you heard of Enterprise Mode? Look it up. It loads websites in a mode that is much more compatible with Internet Explorer 8 than ever before and should address the issues you were having with previous compatibility modes.

  20. NumbStill says:

    @Julien –

    Most hackers make efforts to hack browsers based on their market share (if no one uses it, no one will be hacked), so the fact that it was not hacked does not necessarily mean that it is more or less secure than others. Perhaps it was not important enough at the time to make large efforts to hack it.

    (Of course, maybe it simply resisted the large efforts, but cannot really know that)

  21. NumbStill says:

    @Julien –

    Not quite – ActiveX was too easy to hack (at least in its first several years). NPAPI never provided an easy mechanism of installing new plugins (as far as I know), while ActiveX has. That made it insecure and an abomination. Perhaps that has changed since then, but it was not always like that.

    Also, NPAPI are in the process of being deprecated as well. Anything that gives websites too much power is in the process of being deprecated, eventually.

    Browser add-ons are a bit similar to ActiveX, because you can actually install them pretty easily, but they also mostly have much less power and you must approve their installation with a scary warning if it adds an NPAPI plugin (at least in Chrome).

  22. rachel says:

    sigh.

    "And with EMET installed.."

    "..if you follow good security practices.."

    Also, if you unplug the ethernet cable …

    IE has only just decided to block out of date plugins/activex. In 2014.

    Also, the difference between ActiveX controls and NPAPI plugins is (dumbed down) an NPAPI plugin is to be manually installed on your system, from a known source. Where ActiveX controls aren't (quite) – the location of it is specified by the web page.

    They are not plug-ins. Plug-ins are plug-ins.

    People like YOU are the reason the rest of us still need to use IE for testing.

  23. rachel says:

    *(@Julien)

  24. rachel says:

    I want some huge google sticks in my crack

  25. Julien says:

    @Numbstill

    You're wright about market share, but ChromeOS was hacked despite having less than <0.1% market share.

    As for EMET4/5 I've never heard about any attack in the wild (heard about PoC against EMET4 though), despite being used by more and more users/enterprises.

    About ActiveX controls, since XP SP2, IE no longer displays a window asking the user if he wants to install a control. Now the user has to manually click the information bar and select install. If you can convince someone to do that, you might as well ask him to download and run a .exe file. So there is nothing less secure in ActiveX than in NPAPI. Claiming ActiveX is an abomination is just a nonsense. Enterprise still use them for perfectly legit reasons.

  26. MELERIX says:

    thank you Microsoft, this is a nice feature and will help people to maintain part of his software updated.

  27. Julien says:

    @rachel

    Even just using IE11 in the default configuration is still safer than using Firefox.

    And using IE/Metro is safer than using Chrome (all plugins except Flash are blocked, and 64bit/EPM is enabled).

    But what I'm saying is that safety can be improved even more in a managed environment.

    As for ActiveX, it's as much "difficult" to install one accidentally than to download/run a malicious .exe.

    Nowadays you're more likely to install a malicious Chrome/Firefox extension, because even some power users still believe it's safe to install extensions from little know developers.

    Also, people like YOU are the reason the mobile web is broken. IE is now a great browser, and more and more people are admitting it. Stop being so clueless. The web != webkit.

  28. yesman says:

    Calm down, fanboy. It's only a browser. It's not as though it's merged in with the operating system.

    Oh…

  29. Dave says:

    This is great but…

    Does anyone still use IE?

    http://www.w3schools.com/…/browsers_stats.asp

  30. pike says:

    @Dave

    Yes, to download a decent browser

  31. rachel says:

    @Julien

    Once I too used to love everything that came from Microsoft. Give it a few years.. you'll stray and try some competing technology. Then you'll stop and think to yourself "why have I been accepting such mediocrity for so long?"

    We've all been there.

  32. anon says:

    @Dave, only about 60% of the world (about 50% if mobile Web market share is counted alongside PC Web market share).

    arstechnica.com/…/android-passes-ios-on-the-web-windows-8-still-plateaued

  33. Dave says:

    @anon, I guess it depends on which statistics you consider credible.  One company with a vested interest or 3 independent sources that all say IE usage is trending into non-existence.

    http://gs.statcounter.com/

    http://www.w3counter.com/globalstats.php

    http://www.w3schools.com/…/browsers_stats.asp

  34. anon says:

    @Dave, the statistics you linked to completely ignore non-Western market share so they're not representative of the worldwide situation.

  35. Dave says:

    @anon, That's not correct.  The first link goes to Worldwide statistics.  Even if you change the Region to Asia or Europe the trend shows the same as Worldwide.

    You can deny it all you want but the evidence points to a declining trend in IE usage.

  36. Jonathan Sampson [MSFT] says:

    @tour-of-Utah,

    I took a look at the url you provided in Internet Explorer and Chrome but failed to notice any differences between the two experiences. At your convenience, would you be able to email me (josamp[at]microsoft) additional details about what, specifically, I should be looking for? I look forward to hearing from you!

    Jonathan Sampson

    PM, Internet Explorer

  37. Ron says:

    Publish a public list of ActiveX controls that are blocked.  Let us block java for all sites except for 1 or 2 known ones.

  38. Rafal says:

    SO just as followup the admin templates are going to be upgrade for IE 9-11 ?

  39. Don says:

    I'm reading conflicting reports. Is this an actual PATCH that is coming down on Tuesday or will a feature that is already in IE be enabled on that day?

    If it's a true patch, can we get it early to test the new behavior in large environments?

    If it's just a feature that will be enabled, is there a way we can enable it early, again to test the new behavior in large environments?

    Thanks.

  40. anon says:

    @Dave, I'm not denying anything. The sources I quoted use count actual users instead of website hits. Stop projecting your prejudice of IE on others.

  41. Chuck says:

    For those who use EMET. It needs to be fixed.

    bromiumlabs.files.wordpress.com/…/bypassing-emet-4-1.pdf

  42. Bruce S. says:

    Can IT people  block that UPDATE button in the warning at all if this is enabled?  The last thing I need are VP's insisting we need to upgrade when in reality we cannot because we have some important applications that will break (and have nearly zero control over fixing).

    I like the idea of putting in logging for the first month, adding the sites we need to Trusted Sites, and then turning this on.  But, if general web surfing generates calls to the Help Desk from angry users saying they want to upgrade Java then that is a big problem.

    Lastly I hope the logging feature is clear to setup on the back end, unlike the IE11 enterprise mode logging (which had near zero information available when it was first released)

  43. NumbStill says:

    @Julien –

    Chrome OS was indeed hacked and besides being very popular recently (top 10 selling notebooks in the last few years), Google was giving huge, huge prizes ($80,000, if I remember correctly, or some other ridiculous amount). People still want a lot of money. 🙂

    Regarding ActiveX, like I mentioned, in the first several years, it was an abomination. Since Windows XP SP 2, it was apparently improved (a much needed improvement), but before – it was a serious security issue and plagued lots of users.

    "And using IE/Metro is safer than using Chrome (all plugins except Flash are blocked, and 64bit/EPM is enabled)."

    I cannot agree with this statement.

    1. Chrome sandboxed Flash, while Internet Explorer does not (and Flash has had many security issues over the years and as far as I know, a lot of them remained unfixed for inappropriate periods of time).

    2. I believe Chrome blocks NPAPI plugins (not add-ons, though) in Metro as well. Plugins can ruin your computer, while extensions have much less of an attack vector.

    @Dave –

    The statistics of W3Schools are not indicative of normal usage, most of the people who use that website are developers and, well, developers generally prefer other browsers.

    @Don –

    It is an update that is delivered using Windows Update. As an administrator, you can prevent your users from getting this update using the normal methods, or delay getting this update.

  44. NumbStill says:

    @Bruce S. –

    Yes, using Group Policy, you can disable the feature altogether, or disable the ability to update (it will just be blocked and that is it). The post mentioned this.

  45. NumbStill says:

    @Ron –

    Look at the links mentioned in the post, you can get to the public list easily.

    Same regarding allowing ActiveX in certain websites – add them to the Trusted Sites.

  46. Dave says:

    @anon, Evidence != prejudice.  I'm not projecting anything.  I cited Worldwide statistics that can be easily verified.

    There's no point in me continuing this discussion with someone who can't comprehend the facts.

  47. Dave says:

    @NumbStill, granted the W3Schools statistics are primarily developers but that is more of a meaningful indicator than a disqualifier seeing as how developers write code that attempts to run in browsers so they are more informed than casual users.

    I also cited 2 other links that are more indicative of Worldwide usage.

  48. Bruce S. says:

    @NumbStill – thanks but actually I find the article to vague regarding blocking.  There are screenshots here that show warnings, but not screenshots that show what blocking looks like, unless those screenshots are in fact what users will see when blocking (and they mention doing an update too).  I will not bank on anything written here until I have tested it myself.  If the block message tells users they need to upgrade then that is just as bad as giving them a button – they can still read and what they see is "I need an upgrade/My IT sucks"*.

    *what they should be thinking is Java sucks.  Why the developers over at Oracle cannot patch holes in Java without doing a complete program update breaking other apps is beyond me.  You never see MS release .Net security patches using whole sale program updates that break legacy apps (very rare, and not since 1.1/2.0 in my experience).  I am sure the language is wonderful but the JRE client is a bloody nightmare to deal with in a corporate environment.  Its installer has had issues for years on 64bit system and it has zero GPO integration, still using text files for configuration management etc. etc.  It is a complete heap of trash.  Something breaks every time you upgrade it, and it has had so many security problems they have to go to extreme lengths to force people into upgrading because they cannot fix it all at once and know darn well there will be more holes discovered after this Nth release.

  49. Bruce S. says:

    Earlier I commented on Java having issues installing on 64-bit systems.  This is the bug tracker for that problem, and you have to read their "customer work around" – it will take your breath away.  bugs.java.com/…/view_bug.do  

  50. Pete says:

    IE is becoming irrelevant. I only use it in a VM to test my site.

    In fact, I reckon that's what the majority of IE hits are – people constantly hitting F5 as they debug their pages in IE.

  51. Julien says:

    @NumbStill

    So if you agree that ActiveX support post XP sp2 is fine, why do people continue to say it should be killed because of some pre-XP sp2 behavior? That was 10 years ago for god sake!

    It's like saying that Firefox sucks because Netscape 6 sucked.

    About Chrome OS and EMET, in both case the reward was $150 000. It's actually not that much. Complex exploits can be worth more than that. Anyway, while it doesn't prove much, it still shows that bypassing EMET 4 was not something trivial to do. Yes there has been a PoC since then, but still not exploit in the wild.

    As for market share, even if Google claims it has sold a lot of ChromeBooks, strangely that is not reflected by actual market share in OS/browsers usage.

    As for Flash Player, actually every activeX control is sandboxed by default since Vista/IE7 (write blocked). So Flash Player is sandboxed in both protected mode and EPM, well before Chrome.

  52. dlh2009 says:

    Nice!!!

    I enjoy seeing these kinds of changes. Keep up the great work!

  53. EricT says:

    Interesting idea, similar to what Oracle is doing with old versions of the JRE. But — I did notice something related to Java. A lot of corporate customers are stuck on JRE 6 for whatever reason. The latest publically available JRE 6 release on Oracle's website is JRE 6 Update 45 (http://www.oracle.com/…/java-archive-downloads-javase6-419409.html)

    According to your matrix, you are warning users about anything older than JRE 6 Update 81. Gaining access to any versions of JRE 6 newer than update 45 requires a support contract from Oracle — it's usually bundled with whatever Oracle product or middleware requires it. So, it sounds like the end users that this block is targeting will be prompted to upgrade to JRE 7 or 8, which may very well break (badly written corporate) applications. Any idea what large companies should be doing for a BYOD or home-worker style environment??

  54. partypooper says:

    Hey, fanboys: technet.microsoft.com/…/ms14-aug

    Good luck with IE over the weekend. Again.

  55. MadHarry says:

    Microsoft cannot even upgrade my browser to version 10. They should concentrate on fixing this rather than just stopping support

    answers.microsoft.com/…/0bade040-76b3-429d-9eff-dc85afa74dc0

  56. Smita Carneiro says:

    I used the link to the Downloads page, but was only able to download the .admx file. Is there no corresponding .adml file?

  57. Sudhir says:

    We don't see the options for the four new policies in the ADM when imported ? are there any caveats to see these 4 new policies?

  58. PeterK says:

    The templates are not available yet: "Starting on August 12, you can also download updated Internet Explorer administrative templates ….". It would be better if this was available before the update.

    You can also make your own policy for the key “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExtVersionCheckEnabled"

  59. MS-Makes-people-cry says:

    Can we say .net only…….. Living in a ms world….

  60. DB says:

    OK, it's now August 8th, still no update to the documentation.

  61. cwew says:

    @DB I was just wondering that too. came here to see if anyone had a link to just the changes. nothing i guess so far

  62. ranry says:

    Any compatibility issues with using per site ActiveX to block Java in the internet zone or should we remove that configuration before deploying this?

    blogs.msdn.com/…/controlling-java-in-internet-explorer.aspx

  63. cas says:

    The link :

    "Windows Server 2008 and up. Download the complete set of Internet Explorer administrative templates, which include the new settings, from here."

    doesn't link to the 2008 .admx files, but to the 2003 .adm files

  64. Afolabi Tofunmi says:

    Life without technology is like earth without human

  65. 127 says:

    new GPO incl this new settings arrived

    http://www.microsoft.com/…/details.aspx

  66. kevin says:

    where are the settings in the gpo?

  67. RandomGuy says:

    Its just a browser people. Take it easy.

  68. Rob Duncan says:

    Will or will not local intranet server be affected?? – The answer above doesn't make any sense : – First they won't – then they will, which is it? –

    My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Intranet zone or Trusted Sites zone, will those be affected by this update?

    No, sites in the Intranet or Trusted Sites zone will continue to function as usual after applying this update. Intranet websites accessed through fully-qualified a domain name or IP address are considered to be within the internet zone and will be affected by this update.

  69. udosj says:

    Meta X-UA-Compatible with requiresActiveX was introduced a while ago, could you please explain how this interoperates with you new changes?

    If you place requiresActiveX  as part of the meta-tag http-equiv named X-UA-Compatible on top of your page and visit it with an IE10+ in Modern-Mode a toolbar is shown giving you the opportunity to change to IE in Desktop-Mode, loading the same page, hopefully with the embedded plugin.

    UX will be: 'hey, this *works*, but after click' banner on bottom of IE 10+ Metro-Mode, then *maybe* (in case it is outdated in red Color, otherwise, imho, with an orange one inviting you to install) another toolbar asking you to download after another click, that is driving you to another ones website, forcing you to install a software with at least two clicks before downloading a single byte of the binary. Sounds to me like pain in the ass 😉

    Would like to hear or test out, that the shown link/button directs the user straight to a download, instead a click-through hell, which welcomes you early enough, as Setup starts – guiding you via AskToolbar and "3 Billion Computers ruining Java".

  70. RJC says:

    You can find the new policy settings at "Windows Components/Internet Explorer/Security Features/Add-on Management"

  71. RJC says:

    Any idea where the local logs are kept for policy option "Turn on ActiveX Control logging in Internet Explorer?  

  72. Bruce S. says:

    I see we have an update here, with some more details…  the log will be stored locally on the PC?  So if I have 1000 Pc's in the company and have no idea which Java applet people might be using I have to use Procmon to figure out where this log file is, and then go grab it from  the 1000 pc's and read them all.  Is there going to be a way to aggregate these and maybe someone could let us know where this log file can be found?

  73. TZM says:

    We are running Windows 2012R2 (fully patched) domain controllers and 2012R2 domain functional level and I do not yet see the extra controls in Group Policy. Do I have to add something manually to my domain controllers or do I need to do something else?

    This page  http://www.microsoft.com/…/details.aspx   says they are already installed but I don't see them? Any help? thanks.

    Windows Server 2012 R2:  

    The Internet Explorer 11 Administrative Template files (interes.admx and inetres.adml) are already installed.  

  74. Glenn says:

    If you have multiple copies of Java installed, say, the latest version of 7 and an older version of 6, will this trigger the notification?  We're migrating away from 6, but until it's on every PC, we can't uninstall.

  75. IEFORDINNER says:

    @RJC, Bruce S: The logs are kept in “%LOCALAPPDATA%MicrosoftInternet ExplorerVersionManager.  You should just be able to copy them off to a share and run through them with a powershell script.  This is all documented in the article here: technet.microsoft.com/…/dn798785.aspx

    @TMZ: As the blog post says, these are not officially live until 8/12 so what you are seeing hasn't yet been updated.  Stay tuned.

    @Glenn: Depends on which version of Java IE tries to load.  If it tires to load an outdated version you will get a prompt.  If its the latest version then you won't get a prompt.

  76. UK Enterprise says:

    Numbstill,

    Fully aware of Enterprise Mode, it doesn't fix all compatibility issues though does most. We were already in flight with IE10 when IE11 was released and the project funding for compatibility testing was already in flight. We can't suddenly deploy IE11 within a few days before this change went ahead. And Java is Java, most LARGE organisations have had trouble with getting MANY apps signed to work post Java 7 Update 51.

    This is the difference between the "ideal" world where funding is always flowing and everyone does not have internal politics etc and the "real" world where in large organisations you can't always get things moving as quickly as you want even if you pounce on it when its released. The only thing that gets out quickly is security updates for OS.

  77. Still Unclear says:

    First–delaying this from 8/12 until 9/9 is 28 days, not 30.

    Second–will this be enabled by another update released on 9/9 (Patch Tuesday) or will the patch released on 8/12 include date-triggered functionality?

  78. AxelRMSFT says:

    @TZM

    Here is a blog about How to manage the new "blocking out-of-date ActiveX controls" feature in IE

    blogs.msdn.com/…/how-to-manage-the-new-quot-blocking-out-of-date-activex-controls-quot-feature-in-ie.aspx

  79. Gommee says:

    What KB Article or bulletin # will this be pushed out in?

  80. Simple says:

    Well the AuditMode doesn't work in IE9 on Windows 7 x86. Installed update KB2976627, registry key set to enable logging in both HKCU and HKLM but no logfile was written to %LOCALAPPDATA%MicrosoftInternet ExplorerAuditMode.

  81. Simple says:

    Found the solution: copy versionlist.xml from go.microsoft.com/fwlink to %LOCALAPPDATA%MicrosoftInternet ExplorerVersionManagerversionlist.xml. Now it's working. I was too fast, it takes a while before IE will download the first versionlist.xml

  82. Corey says:

    What's the best way to test this today?  I have the update applied, the xml file copied over, and logging turned on.  I'm running Java 6.43.  Looking at the VersionAuditLog all the lines are showing "Version not in blocklist".  

  83. RL says:

    Installed KB2976627 on a Win7 computer with IE10. Checked the local group policies and the new policies do not exist.

    Installed KB2976627 on a Win7 computer with IE11 and the policies are there.   What's up with that?

  84. Smelly says:

    What Corey said…

    So we now know that logging will not function unless %LOCALAPPDATA%MicrosoftInternet ExplorerVersionManagerversionlist.xml has been copied to the users profile.  So you have to wait for IE to download versionlist.xml or manually copy the file.

    But isn't logging worthless if it doesn't identify what will be in the blocklist.  All we will see is "Not in blocklist" or "Version not in blocklist" until Sept 9th?  This doesn't help us identify what will be blocked based on the latest versionlist.xml.

    So we are left with the criteria that old versions of Java will be blocked unless your site is in the Intranet or Trusted site zone.  That doesn't help us validate our configurations when the block list changes on sept 9th.  Even if I add non Intranet sites into the Trusted site zone I have no way of verifying this configuration.

    How about provide us with the versionlist.xml that will be used on Sept 9th so we can test and validate our Java based web applications to actually see the behavior of out-of-date Active X blocking?  Otherwise logging doesn't not help us prepare for what will be blocked in September.  Am I missing something here?

  85. Joseph.Harris says:

    I agree completely with what Smelly posted belo… While I can get AuditMode to work by copying "versionlist.xml" from the various locations provided, I cannot actually get IE to block any outdated versions of Java in my test environment.  I have tried editing the xml file with no success.  Pages requiring java just hang with custom xml files.  Has anyone met with any success in either editing the version list.xml file, or successfully triggering a "block" event to test against?

  86. Joseph.Harris says:

    I agree completely with what Smelly posted belo… While I can get AuditMode to work by copying "versionlist.xml" from the various locations provided, I cannot actually get IE to block any outdated versions of Java in my test environment.  I have tried editing the xml file with no success.  Pages requiring java just hang with custom xml files.  Has anyone met with any success in either editing the version list.xml file, or successfully triggering a "block" event to test against?

  87. Alex Verboon says:

    For those looking for a PowerShell Script to get the log contents, here it is. http://www.verboon.info/…/powershell-script-to-retrieve-content-from-internet-explorer-activex-blocking-log

  88. IEFORDINNER says:

    Regarding getting the blocking working.  In the XML file change this line:

       <groupentry groupname="Java(TM)" fwdlink="go.microsoft.com/fwlink latestgroup="1" />

    to this line:

       <groupentry groupname="Java(TM)" fwdlink="go.microsoft.com/fwlink />

    That worked for me.

  89. Kent says:

    Two things.

    1. Why is inetres.admx & adml not applied with IE 8?  I see on my IE 11 systems that the new GPO template is there but not with IE 8.0.

    2. How do we test this beforehand if it is not enabled until Sept 8th.  I'm looking for the setting but it is not obvious.

  90. Corey says:

    Removing the "latestgroup = "1"" from the xml file didn't do anything for me.  We need a way to reliably test this on our environments.

  91. IEFORDINNER says:

    @Corey: Do not remove all the latestgroup = "1" from the XML.  Just remove latestgroup="1" attribute from that one line.  That should do the trick.  You can also set the following to make sure the file doesn't get updated after you made your change:

    reg add "HKCUSoftwareMicrosoftInternet ExplorerVersionManager" /v DownloadVersionList

    /t REG_DWORD /d 0 /f

  92. ASR says:

    What rights or permissions are needed to see the activeX blocking notifications?  Would a standard user have these rights?  What about installing the updated control?

  93. Jim says:

    This is fantastic news- thanks for the information and strategy to help protect users from exploit kits

  94. Alex verboon says:

    Question:  how big is the log file voing to be? I notice that my log contains several lines with the same value, so i wonder if we enable this permanently how much this file will grow. Is there any hard coded limit where it starts overwriting?

    Just thinking loud. Why was not the same logging option considered as exist for enterprise mode? I mean with log file stored locally in the users profile i end building a process collecting these files for 15000 clients spread all over the world.

    Last but not least. If MS could setup a test page with older versions to ensure all works as expected that would be grat.

    Kind regards

    Alex

  95. Matt B says:

    I found this that describes the XML hacks required to get it into "blocking mode" a bit better (I have yet to actually test it though):

    permalink.gmane.org/…/6937

    Reaching out to our TAM for guidance/clarification because this is a bit ridiculous.

    The best idea for handling this that I have as of now is:

    • Disable it completely via GPO so things do not break on 9/9 when I assume a new XML will be released

    • Enable Logging via GPO

    • Start testing on 9/9 when Microsoft has released a functional XML (Provide a GPO Override or something)

    • Enable it via GPO after proper testing

  96. IEFORDINNER says:

    Make sure to only remove the first occurrence of latestgroup="1" not all of them.  If you remove all of them IE will block the latest version of Java also not just the out of date version.

  97. AxelRMSFT says:

    Please note that updated testing guidance is now available on support.microsoft.com/…/2991000 under the section Testing the out-of-date ActiveX controls feature.

  98. Nitesh Khandelwal says:

    Yes, sir !! I totally agree with you, the changes become make in internet explorer is such so interesting and provide better security to IE. Because it is the part of JAVA, so learn<a href="http://www.sagacademy.com/java-development-training-jaipur"&gt; of those changes training</a> is also required.

  99. jabulani siboniso says:

    Hi ilove u someone and u2w

  100. Amarjeet Singh Fazailpuri Advocate,Ambala City,Haryana,India says:

    Hi,Every one wants security in life.Security cover is necessary.Your instiuition is caring.

  101. Lau says:

    Hi, anyone can find the new policy with IE 9 Windows 7 x64? I have installed the update but found nothing even I have added the  Administrative Templates.

  102. Kirsty says:

    Hi, what will be the update reference please? So that we can block it through group policy.  We use a system that only works with Java 6.  Thank you.

  103. Jan says:

    Hi, anyone can find the new policy with IE 9 Windows 7 x64? Thank you.

  104. Delores Duffie says:

    I can load some game on Club Pogo but a lots of them I can not load

  105. marlene smith says:

    we are having trouble loading up the couponging sites just to get coupons printed out

  106. lau # says:

    Well a thank u?

  107. palle kruse says:

    kan nogen fortælle mig hvordan jeg løser en error code 1638 i java

  108. filip says:

    ta hra je mrtě dobrá doporučuji mladím hráčům i starím hačům

  109. mmdo7 says:

    343434343fdsddfdre43

  110. pedro says:

    isoo e legal

  111. pasta ph says:

    isso funcionao nao

  112. kameli005 says:

    ok

  113. kameli005 says:

    ok ok ok

  114. rassaman says:

    koogle woonthan publicokootis?