In its August 2014 update, Microsoft released an Internet Explorer update that allows for old, insecure ActiveX...
controls to be blocked. How does it work, and how should we configure it in our organization?
Blocking outdated browser plug-ins is one of the new security features many popular browsers have added to prevent the browser from being used in an attack on end users. Some browsers are blocking old versions of Adobe Flash or the Java Runtime Environment; now Internet Explorer is adding functionality to block outdated ActiveX controls that are insecure.
Microsoft previously released manual "Fix its" and other guidance to disable insecure ActiveX controls, but the company disabling these controls itself is the next step. While Microsoft, Apple, Mozilla and Google could delete old, insecure versions of Flash, Java, ActiveX controls or other installed software, this could have negative repercussions for enterprises that require these versions. Plus, an enterprise might have implemented other security controls to compensate for these required insecure applications.
Microsoft security bulletin MS14-051 included functionality to block outdated ActiveX controls. Microsoft stated in its blog post that the new functionality can be managed by adding approved URLs with old, insecure ActiveX controls to the intranet or Trusted Sites zone in IE, which allows enterprises to centrally manage this functionality.
Enterprises should test their ActiveX controls to see if they are using the old, insecure versions. Enterprises that must allow outdated ActiveX controls should pressure their vendors to update the control to prevent it from being used maliciously. Such organizations should also implement security controls such as application virtualization, sandboxes or whitelisting to compensate for these required insecure applications.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Zscaler recently discovered a malvertising campaign that spreads the Terror exploit kit through malicious ads. Discover more about the threat with ... Continue Reading
Cybersecurity vendor Wordfence reported a rise in scans for SSH private keys that are often accidentally exposed to the public. Learn how to stay ... Continue Reading
The SANS Internet Storm Center discovered a DDE attack spreading Locky ransomware through Microsoft Word. Learn what a DDE attack is and how to ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.