Outdated browser plugins are a huge security risk on today's Internet. While some companies have started to block outdated plugins and insecure ones, others have not done so until now.
Microsoft just announced that it will implement changes to Internet Explorer browsers on Windows 7 and newer operating systems that will block some ActiveX controls that are out of date.
To be precise, Microsoft will only block select Java versions using the new security feature. According to the company, Java exploits represented more than 84% of "exploit kit-related detections each month in 2013" making it a high profile target for Microsoft.
The new feature that Microsoft will launch August 12 prevents web pages from loading ActiveX controls that Microsoft has added to a blocklist.
The following controls are affected by this at the time of writing
- J2SE 1.4 below update 43.
- J2SE 5.0 below update 71.
- Java SE 6 below update 81.
- Java SE 7 below update 65.
- Java SE 8 below update 11.
Internet Explorer displays a notification to the user when a request to run the control is blocked by the browser.
Java(TM) was blocked because it is out of date and needs to be updated.
Options displayed to users include updating Java or to run the control this time. The notification looks different when Internet Explorer 8 is used but makes available the same functionality.
A click on update loads the control's website, in this case the Java website, where the latest version of the software can be downloaded from.
The new blocking feature will launch for Internet Explorer users on Window 7 or newer. On Windows 8, it is only available for desktop versions of the browser as Java cannot be run in the Start Screen version of it.
Requests are only blocked in some zones such as the Internet Zone. Contents won't be blocked in the Local Intranet Zone or the Trusted Sites Zone.
Group Policy Controls
Microsoft has added new Group Policy options to provide better control of the feature in managed environments. Four new Group Policy settings are being made available:
- Turn on ActiveX control logging in Internet Explorer - Logging keeps track of which ActiveX controls will be allowed or flagged for warning or blocking.
- Remove Run this time button for outdated ActiveX controls in Internet Explorer - Enforced blocking to prevent that users override the block and run the control anyway. This removes the "run this time" button.
- Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains - This policy whitelists select domains.
- Turn off blocking of outdated ActiveX controls for Internet Explorer - This will turn off the feature completely.
The implementation of the feature is a step in the right direction. While it makes sense to start with the plugin or control that is exploited the most, it is likely that Microsoft will add other ActiveX controls to the blocklist in the future to protect users further.