Internet Explorer to begin blocking out-of-date ActiveX controls
As you may have heard, Microsoft is enhancing the security of Internet Explorer by introducing the out-of-date ActiveX control blocking feature. This was shipped on August 12, as part of the monthly Windows Update.
Important: based on customer feedback, blocking will not commence until September 9, 2014, providing time for deployment and test in your environment.The out-of-date ActiveX control blocking feature, will still be distributed on August 12, 2014, together withdocumentation and related Group Policy templates as detailed in the resources section below.
What does this mean for your organisation?
As of September 9, 2014, if your organisation has a dependency on outdated versions of Java in the Internet Zone in affected versions of Internet Explorer, you will be impacted by this change.
Users will begin to see blocking UI outlined here—note however that this UI can be clicked through, which allows a webpage to load an outdated version of Java on a one-time basis.
If this is an unacceptable breaking change for your organisation, you have the following two options:
· You can turn the feature off entirely, via the Turn off blocking of outdated ActiveX controls for Internet Explorer Group Policy setting (or corresponding registry key). Note however that this is the less secure option to adopt.
· You can turn the feature off on the specific domains on which your organisation has an out-of-date Java dependency, via the Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains Group Policy setting (or corresponding registry key).
If you’re unsure of whether your organisation has a dependency on outdated versions of Java, or, you’re unsure of what specific domains in the Internet Zone in your organisation have a dependency on outdated version of Java, then use the Turn on ActiveX control logging in Internet Explorer Group Policy setting (or corresponding registry key). This will help you inventory the ActiveX controls being loaded into Internet Explorer in your organisation, and this information should arm you to answer the questions above and configure and test this feature correctly. Note that you can turn this policy setting on or off regardless of the Turn off blocking of outdated ActiveX controls for Internet Explorer or Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains policy settings. It can be enabled starting August 12, 2014, once the cumulative update containing this feature is installed and the updated inetres Group Policy settings have been installed as well.
Recommend Action:
Please make sure that you perform the appropriate level of testing and ready your business for this update to go live and begin blocking outdated versions of Java starting September 9, 2014.
Resources:
For more information please refer to
· Overview - Blocking out-of-date ActiveX controls
· TechNet documentation - Out-of-date ActiveX Control Blocking
· Updated Group Policy Template (Windows Server 2003 & 2008 up)