Microsoft said that Internet Explorer (IE) will begin blocking out-of-date ActiveX controls — the browser’s proprietary plug-in format — when the company updates the versions that run on Windows 7 and Windows 8 next week.
In a blog post, a pair of Microsoft managers said that IE8, IE9, IE10 and IE11 on Windows 7, as well as IE10 and IE11 on Windows 8’s classic desktop, will be refreshed next Tuesday. The updated browser will then display a notification when a website tries to load an outmoded ActiveX control.
Initially, IE will only block outdated versions of Java.
“It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or let someone else control your computer remotely,” Fred Pullen, a senior product manager for IE, and Jasika Bawa, a program manager from Microsoft’s security team, said in the Wednesday blog.
When IE encounters an obsolete Java ActiveX control, the warning will let users choose between ignoring the alert, thus running the control, or updating the Java plug-in. Clicking on the “Update” button will direct the browser to the control vendor’s website to download the newest version.
IT administrators will have several new Group Policy settings to manage IE on workers’ PCs, including one that turns off the warning altogether and another that deletes the “Run this time” button and so prevents employees from overriding the notification.
After Tuesday, IE will block all but the current versions of Java. For Java 8, that means a warning will appear if the browser’s running any version except for Java SE 8 Update 11, which Oracle released in mid-July.
Although Microsoft is starting with Java — which has long been targeted by cyber criminals because of a glut of vulnerabilities, but also because users typically run outdated versions — it promised to expand the blocking program.
“We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list,” said Pullen and Bawa. They did not elaborate on what other plug-ins would be blocked, however, or hint at any timetable.
Microsoft is behind its browser-making rivals on locking out, or at least warning users of, outdated plug-ins. Apple’s Safari, Google’s Chrome and Mozilla’s Firefox all have implemented some form of blocking of old, and potentially less-secure plug-ins.
(Microsoft calls its plug-ins “ActiveX controls,” named after the company’s own ActiveX technology, but they serve the same purpose as the plug-ins that work with other browsers.)
Some browsers have also taken the next step and banned plug-ins either entirely or very aggressively. Firefox 26, for example, which launched last December, put Java behind a “click-to-play” wall, requiring users to explicitly approve any execution of the plug-in, even it is current.
In November 2013, Chrome began blocking nearly all plug-ins written in the decades-old NPAPI (Netscape Plug-in Application Programming Interface) architecture.
And Apple regularly updates its block list of outdated Java and Flash plug-ins used by Safari, a practice begun in 2012.
Microsoft will update IE to block out-of-date Java ActiveX controls on Aug. 12, its monthly “Patch Tuesday,” the day it issues security updates for Windows, IE, Office and its other software.
After an Aug. 12 update, Internet Explorer versions 8 through 11 on Windows 7 and Windows 8 will pop up warnings when an outdated version of the Java ActiveX control is called up by a Web page.