In its August 2014 update, Microsoft released an Internet Explorer update that allows for old, insecure ActiveX...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
controls to be blocked. How does it work, and how should we configure it in our organization?
Blocking outdated browser plug-ins is one of the new security features many popular browsers have added to prevent the browser from being used in an attack on end users. Some browsers are blocking old versions of Adobe Flash or the Java Runtime Environment; now Internet Explorer is adding functionality to block outdated ActiveX controls that are insecure.
Microsoft previously released manual "Fix its" and other guidance to disable insecure ActiveX controls, but the company disabling these controls itself is the next step. While Microsoft, Apple, Mozilla and Google could delete old, insecure versions of Flash, Java, ActiveX controls or other installed software, this could have negative repercussions for enterprises that require these versions. Plus, an enterprise might have implemented other security controls to compensate for these required insecure applications.
Microsoft security bulletin MS14-051 included functionality to block outdated ActiveX controls. Microsoft stated in its blog post that the new functionality can be managed by adding approved URLs with old, insecure ActiveX controls to the intranet or Trusted Sites zone in IE, which allows enterprises to centrally manage this functionality.
Enterprises should test their ActiveX controls to see if they are using the old, insecure versions. Enterprises that must allow outdated ActiveX controls should pressure their vendors to update the control to prevent it from being used maliciously. Such organizations should also implement security controls such as application virtualization, sandboxes or whitelisting to compensate for these required insecure applications.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
As the Magento Community Edition suffers a new zero-day vulnerability, expert Nick Lewis explains how it's being exploited and how to mitigate the ...continue reading
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.