An upcoming update for Internet Explorer will add a new security feature that blocks out-of-date ActiveX controls. In a move described by Microsoft as being specifically about ActiveX, the new feature will be managed per medium of an active blocklist. At this early stage the list contains just one offender – Oracle’s Java ActiveX control – but Microsoft says more will be added as other vulnerabilities are released or discovered.
That Java should make the blocklist initially and immediately is hardly a surprise, older versions of the plugin have presented a common attack vector for some time. Even Microsoft’s own research estimates that between 84.6% and 98.5% of all web-based exploits during 2013 took advantage of Java vulnerabilities. So, it makes sense that even blocking out-of-date Java plugins has the potential to dramatically improve security for end-users.
The block will not present an immutable barrier though, Internet Explorer will provide the user with the ability to override it on a one-off basis. Additionally, it will not apply to the Local Intranet Zone and Trusted Sites Zone, which will allow business customers to maintain compatibility via continuing to use obsolete plugins where no viable alternative exists.
According to a recent blog post from Fred Pullen, IE’s product manager, and Jasika Bawa, security program manager, the out-of-date ActiveX blocking feature will allow users to:
- Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
- Interact with other parts of the Web page that aren’t affected by the outdated control.
- Update the outdated control, so that it’s up-to-date and safer to use.
- Inventory the ActiveX controls your organization is using.
However, those running older systems will not be able to take advantage of the new feature, with support restricted to the following configurations:
- On Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
- On Windows 8 and up, Internet Explorer for the desktop
This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.
- Read the IEBlog announcement in full here: Internet Explorer begins blocking out-of-date ActiveX controls
Is Internet Explorer the most Insecure Browser?
That Internet Explorer is the most insecure browser is a common perception, but is it perhaps a popular misconception? In my opinion, it’s largely a hangover from the old IE6 days and, as far as security is concerned, current IE versions compare favorably with competitor browsers.
A recent “PWN2OWN” competition, run back in March this year, appears to confirm this notion; showing that, while Internet Explorer was certainly susceptible to attack, Firefox fared worse and Chrome and Safari were also far from immune.
So, while Internet Explorer is certainly not perfect, neither are its main competitors, and IE’s security is nowhere near as comparatively inferior as some might have you believe.
End-of-Support for Older Internet Explorer Versions
In line with Microsoft’s efforts to bring all users up-to-date with the latest Internet Explorer versions, a recent IEBlog post announced end-of-support dates for older configurations. As of January 12th 2016, only the following operating systems and browser version combinations will continue to be supported:
After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support.
- Read the IEBlog announcement in full here: Stay up-to-date with Internet Explorer
How Much Would You Pay to Extend Your XP Support?
Last but not least, this amazing piece of information courtesy of The Guardian – apparently, the UK and Dutch governments have paid Microsoft multiple millions to extend support for Windows XP past the April 8th cutoff date. The UK extension cost a cool £5.5m (that’s pounds folks, not dollars) for just one year, after which public-sector users will have to be moved to newer software.
Oh well, it’s only taxpayers’ money, plenty more where that came from.