October 2014 updates and a preview of changes to out-of-date ActiveX control blocking

This post describes the October updates for Internet Explorer that we are releasing today and provides a preview of updates to out-of-date ActiveX control blocking coming in November 2014.

October Updates

Microsoft Security Bulletin MS14-056 - This critical security update resolves one publicly disclosed vulnerability and fourteen privately reported vulnerabilities in Internet Explorer.  For more information see the full bulletin.

Security Update for Flash Player (3001237) - This security update for Adobe Flash Player in Internet Explorer 10 and 11 on supported editions of Windows 8, Windows 8.1 and Windows Server 2012 and Windows Server 2012 R2 is also available. The details of the vulnerabilities are documented in Adobe security bulletin APSB11-22. This update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash binaries contained within Internet Explorer 10 and Internet Explorer 11. For more information, see the advisory.

Updates to out-of-date ActiveX control blocking coming in November

As we shared back in September, and as part of our ongoing commitment to delivering a more secure browser, we want to help you stay up-to-date with the latest versions of popularly installed ActiveX controls. Today, we’d like to share two exciting updates to the out-of-date ActiveX control blocking feature: updates to our supported operating system and browser combinations and out-of-date Silverlight blocking.

Out-of-date ActiveX control blocking on Windows Vista SP2 and Windows Server 2008 SP2

Beginning January 12, 2016, we’re going to support the following operating system and browser combinations (for more info, see this announcement):

Windows operating system Internet Explorer version
Windows Vista SP2 Internet Explorer 9
Windows Server 2008 SP2 Internet Explorer 9
Windows 7 SP1 Internet Explorer 11
Windows Server 2008 R2 SP1 Internet Explorer 11
Windows 8.1 Internet Explorer 11
Windows Server 2012 Internet Explorer 10
Windows Server 2012 R2 Internet Explorer 11

Right now, the out-of-date ActiveX control blocking feature works on all of these combinations except Windows Vista SP2 and Windows Server 2008 SP2 with Internet Explorer 9. Support for these combinations is expected to start on November 11, 2014.

Out-of-date Silverlight blocking

Starting on November 11, 2014, we’re expanding the out-of-date ActiveX control blocking feature to block outdated versions of Silverlight. This update notifies you when a Web page tries to load a Silverlight ActiveX control older than (but not including) Silverlight 5.1.30514.0.

You can continue to view the complete list of out-of-date ActiveX controls being blocked by this feature here.

Enterprise testing for out-of-date Silverlight ActiveX control blocking

Remember, out-of-date ActiveX controls aren’t blocked in the Local Intranet Zone or the Trusted Sites Zone, so your intranet sites and trusted line-of-business apps should continue to use ActiveX controls without any disruption.

If you want to see what happens when an employee goes to a Web page with an out-of-date Silverlight ActiveX control after November 11, 2014, you can run this test.

  • On a test computer, install the most recent cumulative update for Internet Explorer.

  • Open a command prompt and run this command to stop downloading updated versions of the versionlist.xml file:

     reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList 
    /t REG_DWORD /d 0 /f
    

    Important:

  • After you’re done testing, delete this registry key. If you don’t, this computer will stop receiving the updated VersionList.xml file with all of the out-of-date ActiveX controls. Because of this, we don’t recommend setting this registry key in your production environment.

  • Copy the test versionlist-TEST.xml file from here to

     %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\
    
  • Rename this file to versionlist.xml. Make sure you agree to overwrite any existing file.Important:here

  • After you’re done testing, replace this file with its production version from

  • . We don’t recommend manually changing the versionlist.xml file in your production environment.

  • Restart Internet Explorer.

You’ll now get an out-of-date ActiveX control blocking notice when a Web site tries to load an outdated Silverlight ActiveX control.

Out-of-date Silverlight blocking prompt

If you need more time to minimize your reliance on outdated Silverlight controls, see the Out-of-date ActiveX control blocking on managed devices section of the Out-of-date ActiveX control blocking topic.

Additional resources

— Cassie Condon, Senior Program Manager, Internet Explorer

— Jasika Bawa, Program Manager, Internet Explorer