Pulling the plugins

Microsoft and Java: Internet Explorer’s next patch to block old Java ActiveX plugins

Coman Hamilton

Microsoft’s browser says it has had it with ActiveXploitation and will begin blocking old controls from Internet Explorer 8

Internet Explorer (IE) has announced a new crackdown on old Java
plugins, the Microsoft browser
announced via its blog
. IE’s monthly Patch Tuesday updates will
soon begin blocking browser enemy no. 1: vulnerable old

The security ‘feature’ will begin sending security warnings to
users on sites that attempt to load out-of-date  Java ActiveX

“Java(TM) was blocked because it is out of date and
needs to be updated.”

Websites attempting to run the following versions of
Java ActiveX will be met with a browser warning message:

  • J2SE 1.4, everything below (but not including) update 43
  • J2SE 5.0, everything below (but not including) update 71
  • Java SE 6, everything below (but not including) update 81
  • Java SE 7, everything below (but not including) update 65
  • Java SE 8, everything below (but not including) update 11

The browser’s decision to cut the umbilical cord to
the more mature ActiveX generations is likely an attempt to make up
for the browser’s reputation of poor security due to its ActiveX
protocol. The new security feature, which IE calls ‘out-of-date
ActiveX control blocking’, is also shifting some of the blame for
its reputation for bad security with its ActiveX protocol. “Java
exploits represented 84.6% to 98.5% of exploit kit-related
detections each month in 2013”, the browser’s website claims,
quoting the Microsoft
Security Intelligence Report

Although the company claims to have superior security
to Chrome and Firefox, IE recently won the award for the
most exploited (and most patched) browser
in the first half of

The security measures against older version of
ActiveX, a veritable minefield of web exploitation, follows similar
measures by Chrome and Firefox to block vulnerabilities in
equivalent plugins. The security feature only applies to IE8 users
running Windows 7 SP1 or Windows 8, meaning that any poor souls
still using Windows Vista will remain sitting ducks to ActiveX

“How about some notice before doing it!!!”

Microsoft’s IE spokespersons said that they understand the difficulties this
may cause some enterprises, but that security comes first:

We know that many organizations still rely on the
capabilities of ActiveX controls, but out-of-date ActiveX controls
are a risk today. By helping consumers stay up-to-date—and enabling
IT to better manage ActiveX controls, including those that are
compatible with Enhanced Protected Mode—Microsoft is helping
customers stay safer online.

Many enterprises will struggle to meet the demands of
this latest Internet Explorer patch. Internet Explorer has released
the documentation only five days in advance of the security update,
leaving developer teams little time to update their ActiveX
controls. “Most large enterprises are still trying to get apps
remediated for Java signing introduced in Update 51 – and Update 65
was only released the other day with Update 67 a bug fix update the
week after,” one user commented on the browser’s blog.

IE’s quirky individuality has already made itself an

 to many a front-end developers that are forced to
plant if browser == IE doThis(); else
 expressions throughout their code.

Any company left with no choice but to stick with old
ActiveX for now can find consolation in the fact that this isn’t a
hard barrier, meaning that users can still override the block at
their own risk, if they chose to. Furthermore, developers can also
disable the block, although IE does not recommend it.

Meanwhile, other
believe IE’s ActiveX block isn’t going far enough:
“Why not just block all ActiveX controls? They are an abomination
that should have been left in the 90s.”

Coman Hamilton
Before becoming Editor of JAXenter.com (S&S Media Group), Coman completed an M.A. in Cultural Studies and wrote for numerous websites and magazines, as well as several ad agencies. // Want to submit a story? Get me at coman[AT]jaxenter.com or linkedin.com/in/comanhamilton
comments powered by Disqus