Just prior to the release of August's updates, Microsoft outlined a new feature the company was including in a cumulative security update for Internet Explorer that would help better secure Windows computer. The new feature called out-of-date ActiveX control blocking, is a synching service for Internet Explorer that automatically downloads its own updates, similar to signature files from antivirus products. The update comes in the form of an XML file (example of the file can be found HERE) that sits on the local computer. The file contains information about potentially dangerous ActiveX controls that some web sites attempt to enact to provide additional functionality. The problem with ActiveX controls is that they can age pretty quickly due to improvements and security revisions. Microsoft will work to keep the list of dangerous ActiveX controls up-to-date and then make the updated XML file available. Users don't have to do a thing. Just running Internet Explorer starts the updating process.
When Microsoft made the announcement about the new feature, the company also announced it would start the blocking process right away. It then later decided to wait a month before providing the first update, due to complaints from IT Pros.
For companies wanting to manage the new feature, Microsoft has supplied an updated set of Group Policy Administrative Templates. The new settings allows administrators do things like:
- Turn off blocking of outdated ActiveX controls for Internet Explorer
- Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
- Turn on ActiveX control logging in Internet Explorer
- Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
The new templates are included in the IE cumulative security update, but you can also download them from the Microsoft Download Center.
Download the updated templates: Administrative Templates for Internet Explorer
Right now, Microsoft recommends getting the templates directly from the cumulative security update as they are seeing reports of Access Denied when using the one's available in the Download Center for Windows 2008. A fix is coming.
The templates are supported for:
- Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and Windows Server 2003 SP2
- Internet Explorer 8, 9, 10, and 11