An ongoing patent infringement case will force Microsoft to weaken ActiveX controls within Internet Explorer (IE) within the next month.
The company will roll in this non-security change with other IE security fixes during the April patch cycle, Mike Nash said this week. The Microsoft security honcho explained the effects of the changes in a post on Microsoft's Security Response Center blog.
"When we release the next cumulative IE security update, customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key," Nash wrote.
A recent loss in court to Eolas Technologies precipitated the ActiveX change. Eolas claimed Microsoft is infringing on one of its patents by embedding ActiveX within IE. Though Microsoft continues to fight against the ruling in favor of Eolas, it must modify the way IE handles ActiveX.
Microsoft previously had warned developers in early February of the upcoming IE alterations, and made the change available for optional download later that month. Nash said that due to feedback from enterprise customers and vendors who are scrambling to test the changes on their systems, Microsoft will support an additional patch to temporarily turn off the changes for further testing on the "new" IE. This patch will be deployed like a hotfix and will only be supported until June. At that point all users must revert back to the new ActiveX controls.
"If you have concerns about application compatibility with the ActiveX change, then deploy the compatibility patch to temporarily revert back to the old behavior for Active X," he advised enterprises. "I strongly advise that you not use this patch if you can avoid it, but if you do use the patch, as soon as you fix your application, remove the patch so that you can be sure that your applications work with the new ActiveX functionality."
