Many ActiveX controls do not automatically update, enabling security flaws to be exploited and users to be compromised.
Many ActiveX controls do not automatically update, enabling security flaws to be exploited and users to be compromised.

On Tuesday, versions of Internet Explorer began blocking out-of-date ActiveX controls – primarily as a way of preventing security flaws from being exploited and users from being compromised.

The feature, which was discussed by Microsoft in August, works with Internet Explorer 8 through Internet Explorer 11 on Windows 7 SP1 and up, as well as on Windows Server 2008 R2 SP1 and up, according to a post, which adds it is active in all Security Zones except the Local Intranet Zone and the Trusted Sites Zone.

A notification bar in Internet Explorer will let users know when the browser is blocking an outdated ActiveX control, and will offer the option to update, the post indicates, adding that users can interact with parts of the webpage not impacted by the ActiveX control.

The company stated that Internet Explorer decides which ActiveX controls to block based on a Microsoft-hosted file known as ‘versionlist.xml,' which is automatically updated with newly-discovered out-of-date ActiveX controls, according to the post.

“[Microsoft] also importantly [has] released new GPO settings for Internet Explorer to allow business to control this functionality corporate wide,” Marc Maiffret, CTO of BeyondTrust, told SCMagazine.com in a Wednesday email correspondence. “This represents another great configuration option for helping reduce a company's overall attack surface.”

ActiveX controls are small apps that enable websites to provide content such as games and videos, and lets users interact with toolbars; however, several ActiveX controls do not automatically update, the post indicates.

Maiffret said that because ActiveX was not initially developed with security in mind, several vulnerabilities – many of which can lead to remote code execution against a user's system – have surfaced throughout the years as a result.

“Simply, if a user has a vulnerable ActiveX control and browses to a malicious website, there is the potential for the attacker to run code as the same privilege level of the logged on user,” Maiffret said. “This means an attacker can copy, delete, [and] modify files, [as well as] add backdoors, [and more].”

Maiffret said, “One of the great layers of defense in both this style of ActiveX attack and other client-application vulnerabilities is to implement a Least Privilege environment,” and added that Microsoft's effort is a great step towards reducing security risks and making users more aware of outdated controls.