Internet Explorer, MS06-013, the ActiveX Update and the Compatibility Patch

  • Article

Today is patch Tuesday and many enterprises are right now testing the new security updates released and getting ready to deploy them to thousands of desktops across the company. Although this might feel like just another set of patches, the regular process might not be enough in this case. Here's why...

MS06-013, the new IE cumulative patch, includes a modification to IE that is not really a security update, but a change in the way IE behaves. This is described in detail at:

https://www.microsoft.com/technet/security/advisory/912945.mspx

In short, IE will no longer allow a user to interact with ActiveX controls started in a certain way. If they are included in the page using the APPLET, EMBED or OBJECT tags, a message will be shown and the control won't work unless the user clicks on it or presses ENTER while focused on it. If you use those HTML tags to include your controls on a page, most users will think the page has a problem. To fix this, you need to use a new procedure to activate those controls. It's a simple script, but there is a need to change the page. It's all documented at:

https://msdn.microsoft.com/workshop/author/dhtml/overview/activating_activex.asp

This update was first released to MSDN subscribers in January 9, 2006. Then it was released publicly on MSDN on February 6, 2006. In February 28 it was released to Microsoft Update as a recommended (but optional) update.

If this has been around for over a month, why all the buzz on this right now? Well, today this update was included in the IE cumulative patch, which also includes a number of critical security updates. For most enterprises, it's the first time this update will actually get deployed.

As many already found out during testing, some very common applications delivered via ActiveX controls on a web page will stop working or require an additional user interaction. These include certain versions of the Java Platform Standard Edition, of the Google Toolbar and of the Siebel High Interactive clients. To be on the safe side, you need to make sure you do some good compatibility testing before you deploy MS06-013. It would not hurt if you tested this one the same way you typically test a Service Pack. The last thing you want is a spike on help desk support calls because the web interface to your CRM software just stopped working...

If you need some extra time for testing, you're not alone. Microsoft recognized that many companies don't look into these things until they become part of a critical update or a service pack. For this reason, there is what is called a "Compatibility Patch". If you apply it after you apply MS06-013, it will keep the security changes but disable he ActiveX Update behavior, causing your ActiveX controls to run as they did before. It's an extra step, but it buys you some additional time to do your compatibility testing and change your pages (or wait for your application vendor to change their pages). You can find information about the compatibility patch and how to deploy it at:

https://support.microsoft.com/?id=917425

This Compatibility Patch will only buy you some time, though. In June, a new update to Internet Explorer will make the ActiveX Update behavior permanent, even for those that previously applied this Compatibility Patch.