Microsoft announced yesterday that it will soon roll out an Internet Explorer update that will automatically block old, insecure ActiveX controls. Dubbed out-of-date ActiveX control blocking, the feature will be released on August 12 as part of this month's patch Tuesday.
ActiveX controls are small programs or add-ons that enhance the browsing experience by allowing interactive content like toolbars, videos, games and more. However, they can also make the browser susceptible to attacks as they aren't automatically updated to fix any vulnerabilities being exploited.
The new feature, which uses an XML file hosted on Microsoft’s servers to identify the controls that aren't allowed to load, will alert users when web pages try to launch old or potentially insecure ActiveX controls, offering them options to either update the control or override the warning. You'll still be able to interact with other parts of the Web page outside of the outdated control.
What's interesting is that the initial release focuses squarely on Oracle's Java ActiveX control. Justifying the choice, the software giant pointed to the company's latest Security Intelligence Report that says Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013. The company further said that while most of these vulnerabilities may have been fixed in recent versions, users may not know to upgrade.
Microsoft also said that over the time it will update the XML file to add other outdated and potentially dangerous ActiveX controls to the list.
The out-of-date ActiveX control blocking feature works on: Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11; Windows 8 and up, Internet Explorer for the desktop; All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone.
As of now, the feature will alert users when Web pages try to load the following versions of Java ActiveX controls: J2SE 1.4 (everything below update 43), J2SE 5.0 (everything below update 71), Java SE 6 (everything below update 81), Java SE 7 (everything below update 65, and Java SE 8 (everything below update 11).