Internet Explorer begins blocking out-of-date ActiveX controls

As part of our ongoing commitment to delivering a more secure browser, starting September 9th Internet Explorer will block out-of-date ActiveX controls. Note: The original post stated that the ActiveX blocking would begin on August 12th. Please refer to the addendum for further details.

ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.

For example, according to the latest Microsoft Security Intelligence Report, Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013. These vulnerabilities may have been fixed in recent versions, but users may not know to upgrade. To help avoid this situation with ActiveX controls, an update to Internet Explorer on August 12, 2014 will introduce a new security feature, called out-of-date ActiveX control blocking.

Out-of-date ActiveX control blocking lets you:

  • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
  • Interact with other parts of the Web page that aren’t affected by the outdated control.
  • Update the outdated control, so that it’s up-to-date and safer to use.
  • Inventory the ActiveX controls your organization is using.

We wanted to share some guidance ahead of next week’s update, to help you understand this feature and decide the best course of action. If you are an end user and see the notification bar, we suggest updating to the latest version. If you are an IT Pro, you can decide how to implement this feature.

Supported Configurations

The out-of-date ActiveX control blocking feature works with:

  • Internet Explorer 8 through Internet Explorer 11 on Windows 7 SP1 and up
  • Internet Explorer 8 through Internet Explorer 11 on Windows Server 2008 R2 SP1 and up
  • All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone

This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.

What does the out-of-date ActiveX control blocking notification look like?

It is important to note that, by default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to this, depending on your version of Internet Explorer:

Prompt telling user that the page has loaded an out of date ActiveX control in Internet Explorer 9-11.
Internet Explorer 9 through Internet Explorer 11

Prompt telling user that the page has loaded an out of date ActiveX control in Internet Explorer 8.
Internet Explorer 8

From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version. Optionally, in managed environments, IT can configure the feature to block—and not just warn—a user from running out-of-date ActiveX controls.

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a Web page tries to launch specific outdated apps, outside of Internet Explorer:

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of Internet Explorer.

How does Internet Explorer decide which ActiveX controls to block?

Internet Explorer uses a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file. We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list.

As of September 9, 2014, this feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls:

  • J2SE 1.4, everything below (but not including) update 43
  • J2SE 5.0, everything below (but not including) update 71
  • Java SE 6, everything below (but not including) update 81
  • Java SE 7, everything below (but not including) update 65
  • Java SE 8, everything below (but not including) update 11

You can view Microsoft’s complete list of out-of-date ActiveX controls at Internet Explorer version list.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether. For enterprise readiness guidance, please refer to Microsoft Knowledge Base Article 2991000.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

  • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
  • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
  • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
  • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.

Please see the complete technical documentation here. You can also download updated Internet Explorer administrative templates, including these new settings, from the Administrative Templates for Internet Explorer page.

Stay up-to-date with Internet Explorer

We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online. This is another example of delivering on the promise to help get users current with a safer, more secure Internet Explorer.

Finally, thank you to the Java engineering team for partnering with us on delivering this feature. This partnership shows that the Java and IE goals are the same regarding keeping users up-to-date and secure!

Addendum - 8/10/14

We have received several questions about this update, and would like to clarify these as well as make a quick announcement.

Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.

Below, please find the answers to some frequently asked questions about this update.

FAQ

Which outdated ActiveX controls are covered in this update?

No ActiveX controls will be affected when the feature is initially released in August. In September, only out-of-date Oracle Java ActiveX controls will be affected. All other ActiveX controls will continue existing behavior.

Will this update affect applications which use out-of-date Java outside of Internet Explorer?

No. This feature will only prompt the user when an out-of-date version of Java is loaded as an ActiveX control in Internet Explorer.

Will this update apply to Internet Explorer on server as well as client SKUs?

Yes.

Will this feature be part of the August Cumulative Update or be released as a separate Hotfix?

This feature will be part of the August Internet Explorer Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for thirty days in order to give customers time to test and manage their environments.

Does this feature help protect against active attacks targeting outdated Java controls?

Yes, installing the most current version of the Java runtime significantly improves user security. Additional details on specific CVEs are outlined on the Microsoft Security Blog – “Keeping Oracle Java updated continues to be high security ROI” and in the Microsoft Security Intelligence Report.

Can end users choose to override the prompt if a trusted application requires out-of-date Java use?

Yes, users can choose the “Run this time” option for internet sites requiring out-of-date ActiveX control use.

My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Intranet zone or Trusted Sites zone, will those be affected by this update?

No, sites in the Intranet or Trusted Sites zone will continue to function as usual after applying this update. Intranet websites accessed through fully-qualified a domain name or IP address are considered to be within the internet zone and will be affected by this update. Please see the following knowledge base article for a full discussion and suggested workarounds. In addition, it should be noted that no out-of-date ActiveX controls will be affected for thirty days, in order to give customers time to test and manage their environments.

My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Internet zone, will they be affected?

Out-of-date Java ActiveX controls will not be initially affected, giving customers thirty days to test and manage their environments. After September 9, when end users attempt to load the out-of-date Java ActiveX control, a prompt will be shown to the user (as described in earlier in the post). The end user will be able to click the “Run this time” option to load the out-of-date Java ActiveX control. Once loaded, the Java out-of-date ActiveX control will work as usual.

Can this feature be disabled if my enterprise requires an older version of the Java runtime?

Yes, there are several ways to disable this feature. Microsoft provides updated IE group policy administrative templates which include 4 new group policies to control this feature*. Two of these group policies can be used to disable this feature on a per domain basis or entirely.

If you do not wish to use the group policy administrative templates to disable the feature, you can use the following registry keys that can be set via group policy (the process is described in more detail here and here). All keys can be set in HKLM or HKCU (HKLM will take preference over HKCU).

Policy Registry setting
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
 reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v contoso.com /t REG_SZ /f
Turn off blocking of outdated ActiveX controls for Internet Explorer
 reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f

If none of the above options work, the address of the site which needs to use an out-of-date Java ActiveX control can be added to the Trusted Sites zone.

Can this feature be disabled without administrative access?

Yes. This can be done by deleting any previously downloaded versionlist.xml files and instructing IE to stop updating the XML file. This can be done by running the following commands in a command window:

  1.  reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList 
    /t REG_DWORD /d 0 /f
    
  2.  del “%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml”
    

How does Internet Explorer obtain, update and use the versionlist.xml file?

Supported versions of Internet Explorer will download the initial version of the versionlist.xml file within 12 hours of installing the August Cumulative Update and starting Internet Explorer. The versionlist.xml file will be downloaded from here to: %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml.

Once the file is downloaded the feature will become enabled and Internet Explorer will start blocking out of date Java ActiveX controls in accordance to the data present in the versionlist.xml file. Internet Explorer will then check for updates to this file on a regular cadence. If Microsoft updates the file, Internet Explorer will download a new version of this file. Note that the file will not block out-of-date ActiveX controls for the first thirty days, to give customers time to test and manage their environments.

Can an enterprise disable or override the URL to which a user is taken when the Update button is clicked on the out-of-date ActiveX prompt?

The URL that the user is taken to when the Update button is clicked is stored in the versionlist.xml file and while this URL can be changed in the file any future updates to the versionlist.xml will override those changes.

Is out-of-date Java the only ActiveX control being blocked by this feature in September?

In September, yes, only out-of-date Oracle Java ActiveX controls will be blocked by this feature. However, Internet Explorer will consider blocking additional common, but out-of-date ActiveX controls in future updates.

*Where can I find additional documentation about this feature and the group policy administrative templates?

Additional TechNet documentation and the group policy administrative templates will be available on TechNet and Download Center respectively on 8/12.

— Fred Pullen, Senior Product Manager, Internet Explorer

— Jasika Bawa, Program Manager, Security