Pulling the plugins
Microsoft and Java: Internet Explorer’s next patch to block old Java ActiveX plugins
Internet Explorer (IE) has announced a new crackdown on old Java plugins, the Microsoft browser announced via its blog. IE’s monthly Patch Tuesday updates will soon begin blocking browser enemy no. 1: vulnerable old ActiveX.
The security ‘feature’ will begin sending security warnings to users on sites that attempt to load out-of-date Java ActiveX controls.
“Java(TM) was blocked because it is out of date and needs to be updated.”
Websites attempting to run the following versions of Java ActiveX will be met with a browser warning message:
- J2SE 1.4, everything below (but not including) update 43
- J2SE 5.0, everything below (but not including) update 71
- Java SE 6, everything below (but not including) update 81
- Java SE 7, everything below (but not including) update 65
- Java SE 8, everything below (but not including) update 11
The browser’s decision to cut the umbilical cord to the more mature ActiveX generations is likely an attempt to make up for the browser’s reputation of poor security due to its ActiveX protocol. The new security feature, which IE calls ‘out-of-date ActiveX control blocking’, is also shifting some of the blame for its reputation for bad security with its ActiveX protocol. “Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013”, the browser's website claims, quoting the Microsoft Security Intelligence Report.
Although the company claims to have superior security to Chrome and Firefox, IE recently won the award for the most exploited (and most patched) browser in the first half of 2014.
The security measures against older version of ActiveX, a veritable minefield of web exploitation, follows similar measures by Chrome and Firefox to block vulnerabilities in equivalent plugins. The security feature only applies to IE8 users running Windows 7 SP1 or Windows 8, meaning that any poor souls still using Windows Vista will remain sitting ducks to ActiveX exploits.
“How about some notice before doing it!!!”
Microsoft’s IE spokespersons said that they understand the difficulties this may cause some enterprises, but that security comes first:
We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online.
Many enterprises will struggle to meet the demands of this latest Internet Explorer patch. Internet Explorer has released the documentation only five days in advance of the security update, leaving developer teams little time to update their ActiveX controls. “Most large enterprises are still trying to get apps remediated for Java signing introduced in Update 51 – and Update 65 was only released the other day with Update 67 a bug fix update the week after,” one user commented on the browser’s blog.
IE’s quirky individuality has already made itself an nuisance to many a front-end developers that are forced to plant if browser == IE doThis(); else doThat(); expressions throughout their code.
Any company left with no choice but to stick with old ActiveX for now can find consolation in the fact that this isn’t a hard barrier, meaning that users can still override the block at their own risk, if they chose to. Furthermore, developers can also disable the block, although IE does not recommend it.
Meanwhile, other commentators believe IE’s ActiveX block isn’t going far enough: “Why not just block all ActiveX controls? They are an abomination that should have been left in the 90s.”