rvlsoft - Fotolia
In its August 2014 update, Microsoft released an Internet Explorer update that allows for old, insecure ActiveX controls to be blocked. How does it work, and how should we configure it in our organization?
Blocking outdated browser plug-ins is one of the new security features many popular browsers have added to prevent the browser from being used in an attack on end users. Some browsers are blocking old versions of Adobe Flash or the Java Runtime Environment; now Internet Explorer is adding functionality to block outdated ActiveX controls that are insecure.
Microsoft previously released manual "Fix its" and other guidance to disable insecure ActiveX controls, but the company disabling these controls itself is the next step. While Microsoft, Apple, Mozilla and Google could delete old, insecure versions of Flash, Java, ActiveX controls or other installed software, this could have negative repercussions for enterprises that require these versions. Plus, an enterprise might have implemented other security controls to compensate for these required insecure applications.
Microsoft security bulletin MS14-051 included functionality to block outdated ActiveX controls. Microsoft stated in its blog post that the new functionality can be managed by adding approved URLs with old, insecure ActiveX controls to the intranet or Trusted Sites zone in IE, which allows enterprises to centrally manage this functionality.
Enterprises should test their ActiveX controls to see if they are using the old, insecure versions. Enterprises that must allow outdated ActiveX controls should pressure their vendors to update the control to prevent it from being used maliciously. Such organizations should also implement security controls such as application virtualization, sandboxes or whitelisting to compensate for these required insecure applications.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading