Microsoft Upgrades Internet Explorer Security

An upcoming update for Internet Explorer will add a new security feature that blocks out-of-date ActiveX controls. In a move described by Microsoft as being specifically about ActiveX, the new feature will be managed per medium of an active blocklist. At this early stage the list contains just one offender – Oracle’s Java ActiveX control – but Microsoft says more will be added as other vulnerabilities are released or discovered.

That Java should make the blocklist initially and immediately is hardly a surprise, older versions of the plugin have presented a common attack vector for some time. Even Microsoft’s own research estimates that between 84.6% and 98.5% of all web-based exploits during 2013 took advantage of Java vulnerabilities. So, it makes sense that even blocking out-of-date Java plugins has the potential to dramatically improve security for end-users.

The block will not present an immutable barrier though, Internet Explorer will provide the user with the ability to override it on a one-off basis. Additionally, it will not apply to the Local Intranet Zone and Trusted Sites Zone, which will allow business customers to maintain compatibility via continuing to use obsolete plugins where no viable alternative exists.

According to a recent blog post from Fred Pullen, IE’s product manager, and Jasika Bawa, security program manager, the out-of-date ActiveX blocking feature will allow users to:

  • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
  • Interact with other parts of the Web page that aren’t affected by the outdated control.
  • Update the outdated control, so that it’s up-to-date and safer to use.
  • Inventory the ActiveX controls your organization is using.

However, those running older systems will not be able to take advantage of the new feature, with support restricted to the following configurations:

  • On Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
  • On Windows 8 and up, Internet Explorer for the desktop

This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.

Is Internet Explorer the most Insecure Browser?

That Internet Explorer is the most insecure browser is a common perception, but is it perhaps a popular misconception? In my opinion, it’s largely a hangover from the old IE6 days and, as far as security is concerned, current IE versions compare favorably with competitor browsers.

A recent “PWN2OWN” competition, run back in March this year, appears to confirm this notion; showing that, while Internet Explorer was certainly susceptible to attack, Firefox fared worse and Chrome and Safari were also far from immune.

So, while Internet Explorer is certainly not perfect, neither are its main competitors, and IE’s security is nowhere near as comparatively inferior as some might have you believe.

End-of-Support for Older Internet Explorer Versions

In line with Microsoft’s efforts to bring all users up-to-date with the latest Internet Explorer versions, a recent IEBlog post announced end-of-support dates for older configurations. As of January 12th 2016, only the following operating systems and browser version combinations will continue to be supported:

Credit: Microsoft

After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support.

How Much Would You Pay to Extend Your XP Support?

Last but not least, this amazing piece of information courtesy of The Guardian – apparently, the UK and Dutch governments have paid Microsoft multiple millions to extend support for Windows XP past the April 8th cutoff date. The UK extension cost a cool £5.5m (that’s pounds folks, not dollars) for just one year, after which public-sector users will have to be moved to newer software.

Oh well, it’s only taxpayers’ money, plenty more where that came from.

<source>

 

7 thoughts on “Microsoft Upgrades Internet Explorer Security”

  1. Hi Jim. It takes a little user input to keep PC’s updated. I am amazed at the lack of updates on the PC’s that come my way, especially Java. I run Java but is it really needed? Daniel.

    1. Hi Daniel – Whether Java is needed or not depends entirely on the individual and whatever software and sites he/she tends to use. All I know is; I’ve been Javaless for a long time now, must be 4 or 5 years, and never needed or missed it.

      One less colander in the system is a good thing, right?

  2. Hi Jim
    Can you explain what Java does for a web page and why it becomes so vulnerable. I always thought I needed Java.

    1. Daniel – I believe you may be making the common mistake of confusing “Java” with “JavaScript”, they are unrelated and two quite different animals.

      It’s JavaScript which runs inside the browser to manipulate and enhance the contents of web pages… not Java.

      JavaScript is generally built in to the browser – Java is a programming language completely separate from the browser.

      Java also provides a plugin system which allows slimmed down Java programs known as “applets” to run inside the browser, but they are not integrated with the browser like JavaScript and run as a standalone program embedded within the web page. Java applets have have nothing to do with the look, feel and function of web pages… that’s down to JavaScript.

      These days, Java applets are used rarely, if at all, on most popular websites.

      HTH,
      Cheers… Jim

  3. Hi Jim
    OK, then do the Java applets run through the JavaScripts or through the Java program installed on a PC? Or do Java applets come through as an active X installer? Can Java applets run without user permission and can the uninstall of Java eliminate this security hole? I always thought Java and JavaScripts were related. Pardon my ignorance. Daniel.

    1. do the Java applets run through the JavaScripts or through the Java program installed on a PC?

      They run through the Java program installed on the PC.

      do Java applets come through as an active X installer?

      No, the applets have nothing to do with the browser and are not on the PC anywhere, they are embedded in the web page.

      Can Java applets run without user permission and can the uninstall of Java eliminate this security hole?

      The user would generally need to click on something, such as a Play button, in order for an applet to run. The applet is then executed within Java in a process separate from the browser itself.

      What makes Java a security risk is its abnormally high number of vulnerabilities. Of course, exploiting those vulnerabilities isn’t necessarily that easy but if one does not need Java why take the risk.

      1. Thanks Jim for the info, from what I read the weak link is the Java browser plugin. I have disabled mine in Internet Explorer 11, will probably uninstall Java and see if I can live without it. Don’t know if some of my software need Java about the only websites I regularly use is Facebook and You Tube. Daniel.

Comments are closed.

Exit mobile version

WHY NOT SUBSCRIBE TO OUR NEWSLETTER?

Get great content like this delivered to your inbox!

It's free, convenient, and delivered right to your inbox! We do not spam and we will not share your address. Period!