ActiveX is a framework of objects, released as part of Internet Explorer 3.0 in 1996, in an attempt to make the web more feature rich. ActiveX controls on web sites would download to local cache in the background and run from there, making the web seem quicker and providing features for web sites beyond simple HTML content delivery.
But, unfortunately, with any technology that is almost 20 years old, computing security has changed dramatically, making older, out of date ActiveX controls a security problem.
As part of Patch Tuesday, on August 12, Microsoft will be delivering a new security feature to Internet Explorer called out-of-date ActiveX control blocking that will attempt identify aged ActiveX controls and block them from running. The new feature will work with Windows 7 SP1 with IE8-11, and Windows 8.x's IE on the desktop.
NOTE: out-of-date ActiveX control blocking works with all Security Zones in IE, except those that are listed in the Intranet Zone or Trusted Sites Zone.
When a suspect ActiveX control is identified it is blocked, and the user will receive an in-browser notification warning. The warning will provide information about why the control was blocked, as well as give the user the chance to update the control to the latest, secure version.
Out-of-date ActiveX control blocking works through a regularly updated versionlist.xml file, received from Microsoft automatically, similar to how AV software updates virus signature files. A sample of the versionlist.xml file can be found HERE. On August 12, Microsoft is taking a stab at blocking various Java ActiveX controls first.
New Group Policy settings will be available for those that need to manage the new feature centrally. The new IE administrative templates will be available for download on August 12 and include the following new settings:
- Enforced Blocking
- Selected Domains
The new IE administrative templates will be available to run on Windows Server 2003 through Windows 2012 R2.