Microsoft recently posted to its Internet Explorer blog that it would begin blocking out-of-date ActiveX controls as part of its “ongoing commitment to delivering a more secure browser”. It then updated the blog to announce that it had postponed it until September 9th.
According to a recent Microsoft Security Intelligence report, Java exploits represented 84.6% to 98.5% of exploit kit-related detections every month of last year. The company says while such vulnerabilities may have been fixed in recent versions, not all users will know to upgrade, so an update to IE will include a new security feature called out-of-date ActiveX control blocking.
The feature lets users know when IE prevents a web page from loading common, but outdated, ActiveX controls and interact with other parts of the page that aren’t affected by them. It also lets you update the outdated control and inventory the ActiveX controls your organization is using.
“Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls,” Microsoft said in an update to the blog post. “Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.”
Next month, only out-of-date Oracle Java ActiveX controls will be affected, and all others will continue their existing behavior. The feature will only prompt the user when an out-of-date version of Java is loaded as an ActiveX control.
“Installing the most current version of the Java runtime significantly improves user security,” Microsoft says.
Read the post (linked above) for more details on all of this. You may also want to check out this post on keeping Oracle Java updated.