Old Flash ActiveX will be blocked on Windows 7
Microsoft announced yesterday that it will block outdated Flash Player ActiveX versions on Windows 7 and Windows Server 2008 R2 starting October 11, 2016.
Flash Player does not get updated automatically on Windows 7 or Windows Server 2008 R2 unlike on newer versions of Windows where the updating is done via Windows Updates.
While some Windows customers update the ActiveX version of Flash Player manually each time a new version is released, outdated versions of Flash Player may be used on others.
Considering that Flash is one of the main attack vectors as old versions have more vulnerabilities than Swiss Cheese has holes, it is a security risk to load Flash content using Internet Explorer if the Flash version is outdated.
Blocking old Flash Player ActiveX content
Here are the details: starting October 11, 2016 Adobe Flash Player content will be blocked automatically on page load if outdated versions of Flash Player are used on the system.
Microsoft notes that the following versions are considered as outdated:
- Any version before Adobe Flash Player 21.0.0.198
- Any version before Adobe Flash Player Extended Support Release 18.0.0.241
Tip: The versions will change over time as updates get released. You find the latest versions the blocking applies to on Microsoft's IT Center site. The same page lists information about outdated Java and Silverlight controls as well.
Note that Local Intranet Zone and Trusted Sites Zone sites are not affected by this. This is done primarily to make sure that Enterprise and business customers can continue using applications that rely on Flash ActiveX controls without disruption.
Internet Explorer warns you once per tab, regardless of how many Flash content bits are on it. The warning message reads "Flash Player was blocked because it is out of date and needs to be updated".
The prompt lists an option to update Flash Player, or to run the control this time.
Interestingly enough, non-admin users who use Internet Explorer 11 won't see "see any out-of-date Flash ActiveX control blocks" according to Microsoft.
System administrators may enable out-of-date Flash blocking for all users by running the following command from the command prompt:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v NonAdminSuppressEnabled /t REG_DWORD /d 0 /f
Group Policy
The following Group Policy policies are available to manage the blocking feature and customize it.
- Turn on ActiveX control logging in IE - Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management
- Remove the Run this time button for outdated ActiveX controls in IE - Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management
- Turn off blocking of outdated ActiveX controls for IE on specific domains - Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management
- Turn off blocking of outdated ActiveX controls for IE - Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management
Registry
The same options are also available via the Registry. Note that there is one additional option that lets you remove the update button from the prompt.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v AuditModeEnabled /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v RunThisTimeEnabled /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v example.com /t REG_SZ /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v UpdateEnabled /t REG_DWORD /d 0 /f
Resources
The following resource sites provide you with additional information:
- Blocked out-of-date ActiveX controls
- Blocking out-of-date Flash ActiveX controls on IE11
- Out-of-date ActiveX control blocking
- Update to block out-of-date ActiveX controls in Internet Explorer
Meh. ActiveX is an outdated framework, anyway. Microsoft dropped it when transitioning from IE to Edge. It’s time to move on.
Clearly msoft and quite a few commenters here have not thought this through. At a guess, I’d say there are upwards of 10-million commercial and home installations of security cameras depending on IE/Active-X. Anything older than a few years will still be using Active-X and IE. Not an option. Well, unless you just want the cameras guarding your premises as a visual deterrent.
It pisses me off that msoft has to actively block choices. By all means stop supporting something but how can they know just what is being used with IE and Active-X. At my Brother in law’s business, he only has one last system running IE/Active-X, but it is going to be a significant cost outlay. The cameras use a proprietary streaming format and the company no longer exists. But, it is still working perfectly, so why be forced to spend tens of thousands on replacing it if we allow msoft to block “old” Active-X.
Fortunately I can block that one system on the main network receiving updates from the msoft servers via the main dd-wrt router. Even though I have “never check for updates,” set in win7 machines, msoft still does update stuff anyway. I noticed yesterday that all machines running Windows Defender got a program update via Defender List update. Damned annoying and damned sneaky, but msoft is a Law unto themselves these days and the user be damned.
If we put the technical specifics aside and concentrate on the core in other words on the behaviors, those of the powerful and those of the simple beings i’d see things this way :
The powerful have rights and obligations. When a country decides laws, when a company decides policies for its users, are included obligations. Obligations of security among others. Among Microsoft’s policies some concern the users’ security. Among NSA’s behaviors some concern a nation’s security.
After that, the rights of the powerful. The temptation is to put on the account of their rights what is presented as their obligations, to put on the account of a nation’s security or on the account of the Web’s security (and that of its users) what may be relevant of intrusion and far from proclaimed security.
Now for the citizens, the users. When anyone who has no understanding of responsibility and/or of ethics starts messing up with the lives of others that very person feeds the legitimacy of the powerful, including their proclamation of forbidding on the basis of crappy reasons.
This is why it may appear as a never ending circle, a vicious circle, that of the hen and the egg : less authority is wished, is called, is yelled by the good guys and by the bad guys and when less authority is either obtained or forced then the authority says “You see what happens when we provide more freedom?” … and the beat goes on, and authoritative decisions climb one step and reactions yell louder … vicious circle.
This is why I’ve always believed that the only exit to this vicious circle is to stop wondering about “my rights” and start figuring out “my obligations”. This is why anything harmful we do has two effects : 1- immediate, when hurting someone and 2- postponed as another brick brought to the argumentation of the powerful when they, as well as us, lie by accounting more authority on the basis of more bad actions.
This is why, whatever my inclinations to socialist values I will remain faithful to my right-winged culture, should it be for the sole reason that the world around me starts with the person I have in front of me and that I just cannot believe in a social approach of ethics.
@A or B, not C.’s comment, the first one made today, is most apt: What gives Microsoft the right to force people to do what they think is “best” for them? And, disabling another company’s software without the end-user’s permission???
I find the most interesting thing about this article and most of the discussion around it to be the lack of outrage at Microsoft’s ever increasing hubris and disrespect of its customers. A or B, not C., et al, not included.
Reminds me of a recent law passed in New Jersey USA that forbade restaurants from filling customers’ orders for scrambled eggs unless the order was for “”hard” scrambled eggs. Fortunately, enough people complained loudly and the law was repealed.
Paraphrasing Benjamin Franklin, ‘Those who surrender their freedom for security deserve neither’.
Microsoft’s right to force users is one thing, my right to live dangerously is another : I don’t wish to be obliged to live (surf) peacefully but once I’m free of that obligation I may ask myself : “OK, I’m free, I got rid of Microsoft’s obligations. And now, what do i do? Do I throw myself from the top of the tower because I’m free? Do I drive dangerously on the highway and take the risk for others as for myself?”
Those are the questions, IMHO.
I entirely agree, jmjsquared.
MC-riders as “organ donors” is a tough wording but unfortunately (or fortunately) true.
Liberty, freedom is not anarchy, they require obligations and being aware and respectful of those obligations is the price of our liberty. When we see what is done with liberty in the Western world we may be tempted to call for tighter laws. I believe that’s a mistake. It’s not liberty the problem, it’s what is done of it by a few, or many, most? My conviction at this time is that humanity is not yet sufficiently evolved to manage liberty in a civilized way but that this is not a reason to defeat liberty but only one to do the best we can and consider that with time ethics will gain on lack of ethics, that consequently societies will become more permissive and that liberty, because we will not have closed it in the hard times, will arise greater than ever. But when? A century, ten centuries? Not in my lifetime i’m afraid, but it will go on that vector, I’m sure, it’s in the very nature of life.
The short — and complete– answer to those questions is: With rights come responsibilities.
In the real world, as I teach my Son, Your rights end where the other guy’s nose begins. So, driving recklessly is not a supportable expression of freedom. Throwing yourself off a tower, riding a motorcycle without a helmet, etc., also are not within your rights, IMO, because society will have to pay to clean up your splattered brains. [ASIDE: My old college friend and chief of trauma surgery at a major Washington, D.C. hospital, refers to MC-riders as “organ donors”.] There has to be a price we’re willing to pay in order to live harmoniously with other people. For example, even if I hate to bathe and am allergic to soap & water, my right to be funky does not also permit me to ride a crowded bus. That’s where duly formed governments and laws come into play.
Nobody elected Microsoft President of the Internet.
“…….Shouldn’t people hv the freedom to live dangerously or surf insecurely, eg rock-climbing, base-jumping, torrenting, sexting, etc.?”
The living dangerously group should also have “Install Updates Automatically” included within it.
Very good, but Adobe should kill the Flash Player as soon as possible.
Ugly HTML5 Player. Since 15 years using the Flash Plugin as portable version i never had any problem.
And comparing to the HTML5 Player, for many other reasons I love Flash. Na.
I’m resigned to living with Flash for now, if only because thousands of lazy Idiot Web Designers still insist on using it to run DRM’ed media players or just to do trivial things like launch PDF viewers!!
Seriously, just visit almost any USA based newspaper, radio or TV station site and try to view content without Flash – very maddening!
Not only they’re not killing it but they’re doing all they can to keep it up on crutches and unfortunately you still have many users acclaiming the dying..
Microsoft was so busy working on its new malware that it forgot since years to remove its own outdated and dangerous ActivX technology.
They HAVE abandoned it. As of Windows 10, Microsoft Edge doesn’t even use ActiveX.
Seems, M$ r acting like the tech-world’s Big Brother of the novel “1984” by George Orwell.
…….Shouldn’t people hv the freedom to live dangerously or surf insecurely, eg rock-climbing, base-jumping, torrenting, sexting, etc.?
.
Seems odd that M$ r only taking action now after all these years(= from 2009) of out-dated Flashplayer being used by Win 7 Dummies, ie only after millions of Win 7 users hv rejected their free Win 10 upgrade offer. Aren’t most of the Win 7 Dummies who might hv been using out-dated Flashplayer already auto-upgraded to Win 10 by M$.?
……. Seems like a futile move by M$ to degrade Win 7 bc most of those who hv chosen to remain on Win 7 r quite tech-savvy n they would hv already kept their Flashplayer manually up-to-date, eg via the Software Updater in Avast AV or the Adobe website.
“Shouldn’t people hv the freedom to live dangerously or surf insecurely, eg rock-climbing, base-jumping, torrenting, sexting, etc.?”
I’d avoid including driving in the etc.and I’d wonder if surfing dangerously hasn’t potentially an incidence on us all.
This said, the problem with MS patches is that they may not apply only to security. In fact, they don’t. Hence I’d rather consider living in freedom of one’s privacy choices rather than living dangerously.
Concerning this September 2016 Patch Tuesday, given the fact I’m a Win7 user and that IE11 is disabled here I’ll skip MS’ patches for the time being. Nothing worth.
nah, just don’t use IE
People still use IE? ;)