As part of our to delivering a more secure browser, starting September 9th Internet Explorer will block out-of-date ActiveX controls. Note: The original post stated that the ActiveX blocking would begin on August 12th. Please refer to the addendum for further details. ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely. For example, according to the latest, Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013.
These vulnerabilities may have been fixed in recent versions, but users may not know to upgrade. To help avoid this situation with ActiveX controls, an update to Internet Explorer on August 12, 2014 will introduce a new security feature, called out-of-date ActiveX control blocking.
Out-of-date ActiveX control blocking lets you: • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls. • Interact with other parts of the Web page that aren’t affected by the outdated control. • Update the outdated control, so that it’s up-to-date and safer to use. • Inventory the ActiveX controls your organization is using. We wanted to share some guidance ahead of next week’s update, to help you understand this feature and decide the best course of action.
If you are an end user and see the notification bar, we suggest updating to the latest version. If you are an IT Pro, you can decide how to implement this feature. Supported Configurations The out-of-date ActiveX control blocking feature works with: • Internet Explorer 8 through Internet Explorer 11 on Windows 7 SP1 and up • Internet Explorer 8 through Internet Explorer 11 on Windows Server 2008 R2 SP1 and up • All —such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.
What does the out-of-date ActiveX control blocking notification look like? It is important to note that, by default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to this, depending on your version of Internet Explorer: Internet Explorer 9 through Internet Explorer 11 Internet Explorer 8 From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version. Optionally, in managed environments, IT can configure the feature to block—and not just warn—a user from running out-of-date ActiveX controls. Out-of-date ActiveX control blocking also gives you a security warning that tells you if a Web page tries to launch specific outdated apps, outside of Internet Explorer: How does Internet Explorer decide which ActiveX controls to block?
Internet Explorer uses a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file. We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list. As of September 9, 2014, this feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls: • J2SE 1.4, everything below (but not including) update 43 • J2SE 5.0, everything below (but not including) update 71 • Java SE 6, everything below (but not including) update 81 • Java SE 7, everything below (but not including) update 65 • Java SE 8, everything below (but not including) update 11 You can view Microsoft’s complete list of out-of-date ActiveX controls.
Install Activex Webrec.Cab.. You will have to get that certificate installed on your computer to be able to install the ActiveX control. Webrec - Download. Install Activex Webrec Cab Controller Fuse Will we be able to install IE 11 in Windows 10? Place your rig specifics into your signature like I have.
Out-of-date ActiveX control blocking for managed environments Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems.
IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether. For enterprise readiness guidance, please refer to. To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking. Isa 2006 Keygen here. • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM.
This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies. • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls.
Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.” • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files. • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature.
This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU Software Microsoft Windows CurrentVersion Policies Ext VersionCheckEnabled' with value of zero. Please see the complete technical documentation.
You can also download updated Internet Explorer administrative templates, including these new settings, from the page. Stay up-to-date with Internet Explorer We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online. This is another example of to help get users current with a safer, more secure Internet Explorer. Finally, thank you to the Java engineering team for partnering with us on delivering this feature.
This partnership shows that the Java and IE goals are the same regarding keeping users up-to-date and secure! Addendum - 8/10/14 We have received several questions about this update, and would like to clarify these as well as make a quick announcement. Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs.
The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates. Below, please find the answers to some frequently asked questions about this update. FAQ Which outdated ActiveX controls are covered in this update? No ActiveX controls will be affected when the feature is initially released in August. In September, only out-of-date Oracle Java ActiveX controls will be affected. All other ActiveX controls will continue existing behavior.
Will this update affect applications which use out-of-date Java outside of Internet Explorer? This feature will only prompt the user when an out-of-date version of Java is loaded as an ActiveX control in Internet Explorer. Will this update apply to Internet Explorer on server as well as client SKUs? Will this feature be part of the August Cumulative Update or be released as a separate Hotfix? This feature will be part of the August Internet Explorer Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for thirty days in order to give customers time to test and manage their environments. Does this feature help protect against active attacks targeting outdated Java controls?
Yes, installing the most current version of the Java runtime significantly improves user security. Additional details on specific CVEs are outlined on the Microsoft Security Blog – “” and in the. Can end users choose to override the prompt if a trusted application requires out-of-date Java use? Yes, users can choose the “Run this time” option for internet sites requiring out-of-date ActiveX control use. My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Intranet zone or Trusted Sites zone, will those be affected by this update? No, sites in the Intranet or Trusted Sites zone will continue to function as usual after applying this update.
Intranet websites accessed through fully-qualified a domain name or IP address are considered to be within the internet zone and will be affected by this update. Please see the following for a full discussion and suggested workarounds.
In addition, it should be noted that no out-of-date ActiveX controls will be affected for thirty days, in order to give customers time to test and manage their environments. My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Internet zone, will they be affected?
Out-of-date Java ActiveX controls will not be initially affected, giving customers thirty days to test and manage their environments. After September 9, when end users attempt to load the out-of-date Java ActiveX control, a prompt will be shown to the user (as described in earlier in the post).
The end user will be able to click the “Run this time” option to load the out-of-date Java ActiveX control. Once loaded, the Java out-of-date ActiveX control will work as usual.
Can this feature be disabled if my enterprise requires an older version of the Java runtime? Yes, there are several ways to disable this feature.
Microsoft provides updated IE group policy administrative templates which include 4 new group policies to control this feature*. Two of these group policies can be used to disable this feature on a per domain basis or entirely. If you do not wish to use the group policy administrative templates to disable the feature, you can use the following registry keys that can be set via group policy (the process is described in more detail and ).
All keys can be set in HKLM or HKCU (HKLM will take preference over HKCU). Policy Registry setting Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains reg add 'HKCU Software Microsoft Windows CurrentVersion Policies Ext Domain' /v contoso.com /t REG_SZ /f Turn off blocking of outdated ActiveX controls for Internet Explorer reg add 'HKCU Software Microsoft Windows CurrentVersion Policies Ext' /v VersionCheckEnabled /t REG_DWORD /d 0 /f If none of the above options work, the address of the site which needs to use an out-of-date Java ActiveX control can be added to the Trusted Sites zone. Can this feature be disabled without administrative access? This can be done by deleting any previously downloaded versionlist.xml files and instructing IE to stop updating the XML file. This can be done by running the following commands in a command window: • reg add 'HKCU Software Microsoft Internet Explorer VersionManager' /v DownloadVersionList /t REG_DWORD /d 0 /f • del “%LOCALAPPDATA% Microsoft Internet Explorer VersionManager versionlist.xml” How does Internet Explorer obtain, update and use the versionlist.xml file? Supported versions of Internet Explorer will download the initial version of the versionlist.xml file within 12 hours of installing the August Cumulative Update and starting Internet Explorer.
The versionlist.xml file will be downloaded from to:%LOCALAPPDATA% Microsoft Internet Explorer VersionManager versionlist.xml. Once the file is downloaded the feature will become enabled and Internet Explorer will start blocking out of date Java ActiveX controls in accordance to the data present in the versionlist.xml file. Internet Explorer will then check for updates to this file on a regular cadence. If Microsoft updates the file, Internet Explorer will download a new version of this file. Note that the file will not block out-of-date ActiveX controls for the first thirty days, to give customers time to test and manage their environments. Can an enterprise disable or override the URL to which a user is taken when the Update button is clicked on the out-of-date ActiveX prompt? The URL that the user is taken to when the Update button is clicked is stored in the versionlist.xml file and while this URL can be changed in the file any future updates to the versionlist.xml will override those changes.
Is out-of-date Java the only ActiveX control being blocked by this feature in September? In September, yes, only out-of-date Oracle Java ActiveX controls will be blocked by this feature. However, Internet Explorer will consider blocking additional common, but out-of-date ActiveX controls in future updates. *Where can I find additional documentation about this feature and the group policy administrative templates? Additional TechNet documentation and the group policy administrative templates will be available on TechNet and Download Center respectively on 8/12. — Fred Pullen, Senior Product Manager, Internet Explorer — Jasika Bawa, Program Manager, Security.
How about also prompting the user with a notification to install an activex control if it is not installed? Fore example, what if I don't have Java or Flash and the page I am visiting requires them. It would be nice if I got a notification with a button to automatically install them, without having to search around the Web and possibly installing something else on a malitious website pretending to be Java for example. Also, in the current implementation, will the update button download and install the update, or will it take me to the vendor's website on which I would then have to manually find and download and install an executable?
If it's the latter case, it's too cumbersome and it will not help that much. Automate stuff as much as possible please.
How about some notice before doing it!!! The idea is good, but documentation released 7th and implementation of security update on Aug12th? What person made that stupid decision? Most large enterprises are still trying to get apps remediated for Java signing introduced in Update 51 – and Update 65 was only released the other day with Update 67 a bug fix update the week after. Java isn't just a patch to deploy, its a whole application. I don't remember seeing an advisory that this was coming? I hope its a GENERAL update and not rolled into an IE cumulative security update.
Enterprise environments have testing and change control workflows which shouldn't have to invoke emergency board procedures for this. If the group policy settings are in the main IE policy, that's also an issue for a lot of people because of MS deprecating IE Maintenance Mode meaning the template can't just be thrown into AD, especially if you have different IT areas supporting different policies and the central IT function has no control over a couple of areas that self-govern. You have to co-ordinate the change over so they convert to proxy settings to GPO preferences at the same time.
The process of upgrading from IE8 to IE10/11 can be painful for large organisations as intranet apps written over many years may not work – so that's takes time to get them changed as some may not have readily available recoding support or money has to be agreed from the business to upgrade – that all takes some time. In an ideal world, funding would be available and everyone would change their code to work with new versions ASAP, but this doesn't happen in most organisations. Going from IE8 to IE10/11 is quite a step because of the fact that MS have made the browser more stringent to standards, and lost some of the 'old IE ways' – hence why there is a pain point for making existing stuff compatible, but once this is done our future upgrades would be easier for newer IE versions. I hope the change is a general update rather than lumped into a security update seeing as there hasn't been much time given? I guess we will have to rush a GPO Preference out to set the reg key to disable the function. @rachel Indeed, you're not funny. And your comment makes you look uneducated (regarding to browser security).
IE has been a pretty secure product for a while (more than Firefox). And with EMET installed it is actually hard to beat! Apparently you have not heard the results of this year's Pwn2Own browser hacking contest. Every major web browser was hacked several times.
Even ChromeOS! IE11 with EMET was the only target to resist despite the highest reward of the contest for anyone pwning it. The point is that if you follow good security practices (EMET, EPM, ) IE can provide you a very secure browsing experience. @Julien – Not quite – ActiveX was too easy to hack (at least in its first several years).
NPAPI never provided an easy mechanism of installing new plugins (as far as I know), while ActiveX has. Whatsup Gold 14 2 358 Keygen Free. That made it insecure and an abomination. Perhaps that has changed since then, but it was not always like that. Also, NPAPI are in the process of being deprecated as well. Anything that gives websites too much power is in the process of being deprecated, eventually.
Browser add-ons are a bit similar to ActiveX, because you can actually install them pretty easily, but they also mostly have much less power and you must approve their installation with a scary warning if it adds an NPAPI plugin (at least in Chrome). 'And with EMET installed.' '.if you follow good security practices.' Also, if you unplug the ethernet cable IE has only just decided to block out of date plugins/activex. Also, the difference between ActiveX controls and NPAPI plugins is (dumbed down) an NPAPI plugin is to be manually installed on your system, from a known source. Where ActiveX controls aren't (quite) – the location of it is specified by the web page.
They are not plug-ins. Plug-ins are plug-ins. People like YOU are the reason the rest of us still need to use IE for testing. @Numbstill You're wright about market share, but ChromeOS was hacked despite having less than.
@rachel Even just using IE11 in the default configuration is still safer than using Firefox. And using IE/Metro is safer than using Chrome (all plugins except Flash are blocked, and 64bit/EPM is enabled). But what I'm saying is that safety can be improved even more in a managed environment. As for ActiveX, it's as much 'difficult' to install one accidentally than to download/run a malicious.exe. Nowadays you're more likely to install a malicious Chrome/Firefox extension, because even some power users still believe it's safe to install extensions from little know developers. Also, people like YOU are the reason the mobile web is broken. IE is now a great browser, and more and more people are admitting it.
Stop being so clueless. The web!= webkit. Can IT people block that UPDATE button in the warning at all if this is enabled? The last thing I need are VP's insisting we need to upgrade when in reality we cannot because we have some important applications that will break (and have nearly zero control over fixing). I like the idea of putting in logging for the first month, adding the sites we need to Trusted Sites, and then turning this on. But, if general web surfing generates calls to the Help Desk from angry users saying they want to upgrade Java then that is a big problem.
Lastly I hope the logging feature is clear to setup on the back end, unlike the IE11 enterprise mode logging (which had near zero information available when it was first released). @Julien – Chrome OS was indeed hacked and besides being very popular recently (top 10 selling notebooks in the last few years), Google was giving huge, huge prizes ($80,000, if I remember correctly, or some other ridiculous amount). People still want a lot of money. 🙂 Regarding ActiveX, like I mentioned, in the first several years, it was an abomination. Since Windows XP SP 2, it was apparently improved (a much needed improvement), but before – it was a serious security issue and plagued lots of users. 'And using IE/Metro is safer than using Chrome (all plugins except Flash are blocked, and 64bit/EPM is enabled).' I cannot agree with this statement.
Chrome sandboxed Flash, while Internet Explorer does not (and Flash has had many security issues over the years and as far as I know, a lot of them remained unfixed for inappropriate periods of time). I believe Chrome blocks NPAPI plugins (not add-ons, though) in Metro as well. Plugins can ruin your computer, while extensions have much less of an attack vector. @Dave – The statistics of W3Schools are not indicative of normal usage, most of the people who use that website are developers and, well, developers generally prefer other browsers.
@Don – It is an update that is delivered using Windows Update. As an administrator, you can prevent your users from getting this update using the normal methods, or delay getting this update. @NumbStill – thanks but actually I find the article to vague regarding blocking. There are screenshots here that show warnings, but not screenshots that show what blocking looks like, unless those screenshots are in fact what users will see when blocking (and they mention doing an update too). I will not bank on anything written here until I have tested it myself. If the block message tells users they need to upgrade then that is just as bad as giving them a button – they can still read and what they see is 'I need an upgrade/My IT sucks'*.
*what they should be thinking is Java sucks. Why the developers over at Oracle cannot patch holes in Java without doing a complete program update breaking other apps is beyond me. You never see MS release.Net security patches using whole sale program updates that break legacy apps (very rare, and not since 1.1/2.0 in my experience). I am sure the language is wonderful but the JRE client is a bloody nightmare to deal with in a corporate environment. Its installer has had issues for years on 64bit system and it has zero GPO integration, still using text files for configuration management etc. It is a complete heap of trash. Something breaks every time you upgrade it, and it has had so many security problems they have to go to extreme lengths to force people into upgrading because they cannot fix it all at once and know darn well there will be more holes discovered after this Nth release.
@NumbStill So if you agree that ActiveX support post XP sp2 is fine, why do people continue to say it should be killed because of some pre-XP sp2 behavior? That was 10 years ago for god sake! It's like saying that Firefox sucks because Netscape 6 sucked. About Chrome OS and EMET, in both case the reward was $150 000. It's actually not that much. Complex exploits can be worth more than that.
Anyway, while it doesn't prove much, it still shows that bypassing EMET 4 was not something trivial to do. Yes there has been a PoC since then, but still not exploit in the wild. As for market share, even if Google claims it has sold a lot of ChromeBooks, strangely that is not reflected by actual market share in OS/browsers usage. As for Flash Player, actually every activeX control is sandboxed by default since Vista/IE7 (write blocked). So Flash Player is sandboxed in both protected mode and EPM, well before Chrome. Interesting idea, similar to what Oracle is doing with old versions of the JRE. But — I did notice something related to Java.
A lot of corporate customers are stuck on JRE 6 for whatever reason. The latest publically available JRE 6 release on Oracle's website is JRE 6 Update 45 () According to your matrix, you are warning users about anything older than JRE 6 Update 81. Gaining access to any versions of JRE 6 newer than update 45 requires a support contract from Oracle — it's usually bundled with whatever Oracle product or middleware requires it. So, it sounds like the end users that this block is targeting will be prompted to upgrade to JRE 7 or 8, which may very well break (badly written corporate) applications. Any idea what large companies should be doing for a BYOD or home-worker style environment?? Will or will not local intranet server be affected??
– The answer above doesn't make any sense: – First they won't – then they will, which is it? – My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Intranet zone or Trusted Sites zone, will those be affected by this update? No, sites in the Intranet or Trusted Sites zone will continue to function as usual after applying this update.
Intranet websites accessed through fully-qualified a domain name or IP address are considered to be within the internet zone and will be affected by this update. Meta X-UA-Compatible with requiresActiveX was introduced a while ago, could you please explain how this interoperates with you new changes? If you place requiresActiveX as part of the meta-tag http-equiv named X-UA-Compatible on top of your page and visit it with an IE10+ in Modern-Mode a toolbar is shown giving you the opportunity to change to IE in Desktop-Mode, loading the same page, hopefully with the embedded plugin. UX will be: 'hey, this *works*, but after click' banner on bottom of IE 10+ Metro-Mode, then *maybe* (in case it is outdated in red Color, otherwise, imho, with an orange one inviting you to install) another toolbar asking you to download after another click, that is driving you to another ones website, forcing you to install a software with at least two clicks before downloading a single byte of the binary. Sounds to me like pain in the ass 😉 Would like to hear or test out, that the shown link/button directs the user straight to a download, instead a click-through hell, which welcomes you early enough, as Setup starts – guiding you via AskToolbar and '3 Billion Computers ruining Java'.
@RJC, Bruce S: The logs are kept in “%LOCALAPPDATA%MicrosoftInternet ExplorerVersionManager. You should just be able to copy them off to a share and run through them with a powershell script. This is all documented in the article here: @TMZ: As the blog post says, these are not officially live until 8/12 so what you are seeing hasn't yet been updated. @Glenn: Depends on which version of Java IE tries to load. If it tires to load an outdated version you will get a prompt.
If its the latest version then you won't get a prompt. Numbstill, Fully aware of Enterprise Mode, it doesn't fix all compatibility issues though does most. We were already in flight with IE10 when IE11 was released and the project funding for compatibility testing was already in flight.
We can't suddenly deploy IE11 within a few days before this change went ahead. And Java is Java, most LARGE organisations have had trouble with getting MANY apps signed to work post Java 7 Update 51.
This is the difference between the 'ideal' world where funding is always flowing and everyone does not have internal politics etc and the 'real' world where in large organisations you can't always get things moving as quickly as you want even if you pounce on it when its released. The only thing that gets out quickly is security updates for OS. What Corey said So we now know that logging will not function unless%LOCALAPPDATA%MicrosoftInternet ExplorerVersionManagerversionlist.xml has been copied to the users profile. So you have to wait for IE to download versionlist.xml or manually copy the file. But isn't logging worthless if it doesn't identify what will be in the blocklist. All we will see is 'Not in blocklist' or 'Version not in blocklist' until Sept 9th? This doesn't help us identify what will be blocked based on the latest versionlist.xml.
So we are left with the criteria that old versions of Java will be blocked unless your site is in the Intranet or Trusted site zone. That doesn't help us validate our configurations when the block list changes on sept 9th. Even if I add non Intranet sites into the Trusted site zone I have no way of verifying this configuration. How about provide us with the versionlist.xml that will be used on Sept 9th so we can test and validate our Java based web applications to actually see the behavior of out-of-date Active X blocking?
Otherwise logging doesn't not help us prepare for what will be blocked in September. Am I missing something here? Question: how big is the log file voing to be? I notice that my log contains several lines with the same value, so i wonder if we enable this permanently how much this file will grow.
Is there any hard coded limit where it starts overwriting? Just thinking loud.
Why was not the same logging option considered as exist for enterprise mode? I mean with log file stored locally in the users profile i end building a process collecting these files for 15000 clients spread all over the world. Last but not least. If MS could setup a test page with older versions to ensure all works as expected that would be grat. Kind regards Alex.
I found this that describes the XML hacks required to get it into 'blocking mode' a bit better (I have yet to actually test it though): Reaching out to our TAM for guidance/clarification because this is a bit ridiculous. The best idea for handling this that I have as of now is: •Disable it completely via GPO so things do not break on 9/9 when I assume a new XML will be released •Enable Logging via GPO •Start testing on 9/9 when Microsoft has released a functional XML (Provide a GPO Override or something) •Enable it via GPO after proper testing.