Recent change of Internet Explorer 6 behavior in handling ActiveX controls and its effects on OWA


Summary

A cumulative security update has been recently released for Internet Explorer 6 for Microsoft Windows XP Service Pack 2 and Microsoft Windows Server 2003 Service Pack 1. This update changes the way in which Internet Explorer handles some Web pages that use ActiveX controls and Java applets. As we have seen some questions around this, we wanted to cover them here.

The below document describes the changes that this Update introduces, how it affects Outlook Web Access and how we can mitigate the effects of this change.

What has changed and why

A Cumulative security update for Internet Explorer (MS06-013) introduced a change in the way IE handles Web pages that use ActiveX controls and Java applets.

After you install this update, you cannot interact with ActiveX controls from certain Web pages until these controls are enabled. This change was deemed necessary for security reasons to avoid the remote code execution. Outlook Web Access is affected by this change as follows:

Symptoms related to Exchange

We see red X in the body of Outlook Web Access (OWA) email, when we use OWA with IE 7 (Windows Vista). The Red X error will not allow to compose a new message, reply to an email, or create a new task, note, journal entry, or an appointment. It may also not allow change any configuration in the Outlook Web Access options folder. The body of the message is grayed out, or has a Red X as below:

On a computer on which you have installed update 912945, you must first click one time in the compose frame in Outlook Web Access before you edit text. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

912945: (http://support.microsoft.com/kb/912945/) Internet Explorer ActiveX update

On a computer on which you have installed security update 912812 that is described in security bulletin MS06-013, you must first click one time in the compose frame in Outlook Web Access to activate the edit control.

Impact of the update when installed on a desktop

Installing the Update 912945 or 912812 on a computer which uses Internet Explorer 6 causes Internet Explorer to now prompt before the control is enabled and used.

Thus Internet Explorer 6 with this update installed will now prompt that you click one time on ActiveX control to enable the edit control.

Example Picture:

Impact on OWA

Since Outlook Web Access uses ActiveX controls heavily this could mean clicking to enable a control whenever we click on Compose a new e-mail message , Reply to an e-mail message, Create a new contact, or appointment to name a Few.

Example Picture:

Windows Vista

This also affects OWA when accessed from Windows Vista as Windows Vista no longer includes support for the ActiveX control that is used for HTML editing in Outlook Web Access.

ActiveX controls are unsafe for IE users who turn on the browser's ability to download and activate ActiveX controls within a web page. The problems occur when a user surfs to a non-trusted web page and that web page contains a malicious ActiveX control. This is a very common means of distributing spyware; the easiest way to avoid it is to not install ActiveX controls from non trusted sites. This is the reason why ActiveX control is eliminated from IE 7.

Solution

Exchange 2000/2003:

On an Exchange 2000/2003 server installing update 911829 on the Exchange server enables a new editor for Internet Explorer. The new editor uses an Internet Explorer "iframe" instead of an ActiveX control. Thus after you apply update 911829, you are not required to first click to enable a control in the compose frame of Outlook Web Access before you edit text.

In Case of other websites which use ActiveX:

If you are a Web site owner, you can rewrite your Web pages so that users are never presented with a tooltip or a dialog box.

The following MSDN link gives us how.

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/activating_activex.asp

Compatibility Patch:

A compatibility patch that will disable the behavior of the Internet Explorer ActiveX update has also been released. (Update 917425) Note that this patch is temporary, and will only apply to KB 912812. This IE compatibility patch will not be available for future security updates. 

Pre - Internet Explorer 6

Since this update is currently released for Internet Explorer 6 only this would not cause any behavior change when a pre-Internet Explorer 6 browser is used.

Additional Reading

http://support.microsoft.com/kb/912945

http://support.microsoft.com/kb/911829

http://support.microsoft.com/kb/917425

While at issues surrounding Internet Explorer and OWA, you might want to also check our previous post on Exchange 2003 SP2 SMIME update released (KB 924334) - resolves compatibility with IE 7.

- Manoj Dhadwal

Comments (9)
  1. Ricky Simons says:

    Thank you, I have been looking for a way to resolve this.

  2. Pablo says:

    What happens if I apply this hotfix first in all the front-end servers but not in the cluster backend servers? We need to guarantee roll back to our customers and we would like to apply this hotfix progressively.

  3. Manoj Dhadwal says:

    Hi Pablo,

    For this resolution to work, you must apply the hotfix to both the front-end server and to the back-end server.

    Thanks,

  4. Topaz says:

    Microsoft does not control the way I use Internet Explorer. I reversed engineered all the cumulative security update for Internet Explorer to remove the ActiveX changes but leave in any bonafide security updates.

    I do what I want, not what Microsoft wants.

  5. Andrew says:

    I’ve installed this on our front and backend servers (Exchange 2003, Windows 2003) and have noticed that now some Windows Mobile and Blackberry phones have trouble connecting via to mail via IMAP. Has anyone run into issues like this after installing this hotfix?

  6. AntiTopaz says:

    Topaz, you’re strange.

  7. Anonymous says:

    Hi, I’m B. Ashok, the Product Unit Manager for Web Development Tools . As mentioned in my earlier post

Comments are closed.

Skip to main content