Microsoft announced yesterday that it will block outdated Flash Player ActiveX versions on Windows 7 and Windows Server 2008 R2 starting October 11, 2016.
Flash Player does not get updated automatically on Windows 7 or Windows Server 2008 R2 unlike on newer versions of Windows where the updating is done via Windows Updates.
While some Windows customers update the ActiveX version of Flash Player manually each time a new version is released, outdated versions of Flash Player may be used on others.
Considering that Flash is one of the main attack vectors as old versions have more vulnerabilities than Swiss Cheese has holes, it is a security risk to load Flash content using Internet Explorer if the Flash version is outdated.
Here are the details: starting October 11, 2016 Adobe Flash Player content will be blocked automatically on page load if outdated versions of Flash Player are used on the system.
Microsoft notes that the following versions are considered as outdated:
Tip: The versions will change over time as updates get released. You find the latest versions the blocking applies to on Microsoft's IT Center site. The same page lists information about outdated Java and Silverlight controls as well.
Note that Local Intranet Zone and Trusted Sites Zone sites are not affected by this. This is done primarily to make sure that Enterprise and business customers can continue using applications that rely on Flash ActiveX controls without disruption.
Internet Explorer warns you once per tab, regardless of how many Flash content bits are on it. The warning message reads "Flash Player was blocked because it is out of date and needs to be updated".
The prompt lists an option to update Flash Player, or to run the control this time.
Interestingly enough, non-admin users who use Internet Explorer 11 won't see "see any out-of-date Flash ActiveX control blocks" according to Microsoft.
System administrators may enable out-of-date Flash blocking for all users by running the following command from the command prompt:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v NonAdminSuppressEnabled /t REG_DWORD /d 0 /f
The following Group Policy policies are available to manage the blocking feature and customize it.
The same options are also available via the Registry. Note that there is one additional option that lets you remove the update button from the prompt.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v AuditModeEnabled /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v RunThisTimeEnabled /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v example.com /t REG_SZ /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v UpdateEnabled /t REG_DWORD /d 0 /f
The following resource sites provide you with additional information:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.