News

Microsoft Postpones ActiveX Fix for Internet Explorer

Microsoft indicated it will postpone a planned fix for Internet Explorer to block out-of-date ActiveX controls because of customer feedback, apparently to give users more time for testing.

It will now be Sept. 9 before the new security protection feature for Internet Explorer that blocks older installations of ActiveX takes effect, instead of today as announced earlier. Also, the fix will only block Oracle Java ActiveX for now.

The "out-of-date ActiveX control blocking" security feature was still scheduled to be part of today's update to IE browsers, but the new blocking feature won't take effect for another month, states an addendum to Microsoft's original announcement. Posted on Sunday, it reads as follows:

Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.

It's not exactly clear what customer feedback caused Microsoft to delay the out-of-date ActiveX blocking, although an updated FAQ accompanying Microsoft's original announcement stated that it was done "in order to give customers time to test and manage their environments."

One new addition to the FAQ explains that the out-of-date ActiveX control blocking feature will become available for IE browsers through the "August Internet Explorer Cumulative Security Update" scheduled for today, which likely means that it will arrive as part of Microsoft's general patch Tuesday security bulletin release, rather than as a separate download. Microsoft keeps a list of outdated ActiveX controls in a file called "versionlist.xml." That versionlist.xml file will be downloaded by IE browsers "within 12 hours of installing the August Cumulative Update and starting Internet Explorer."

Another new piece of information that was added to Microsoft's FAQ is that "only out-of-date Oracle Java ActiveX controls will be blocked by this feature" in September. However, Microsoft plans to consider blocking other out-of-date ActiveX controls in its future IE update releases.

Microsoft's technical documentation about the new blocking capability still seems to be somewhat thin at this date. However, Microsoft indicated it's planning to release new TechNet documentation and Group Policy administrative templates today.

In addition to using four new Group Policy additions or administrative templates to manage the ActiveX blocking feature, it's possible to disable it for specific domains or disable it entirely by making some Registry changes. Microsoft's amended FAQ lists the Registry settings to make in such cases.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

comments powered by Disqus

Featured

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

  • Steve Sanderson Previews AI App Dev: Small Models, Agents and a Blazor Voice Assistant

    Blazor creator Steve Sanderson presented a keynote at the recent NDC London 2025 conference where he previewed the future of .NET application development with smaller AI models and autonomous agents, along with showcasing a new Blazor voice assistant project demonstrating cutting-edge functionality.

Subscribe on YouTube