That Java should make the blocklist initially and immediately is hardly a surprise, older versions of the plugin have presented a common attack vector for some time. Even Microsoft’s own research estimates that between 84.6% and 98.5% of all web-based exploits during 2013 took advantage of Java vulnerabilities. So, it makes sense that even blocking out-of-date Java plugins has the potential to dramatically improve security for end-users.
The block will not present an immutable barrier though, Internet Explorer will provide the user with the ability to override it on a one-off basis. Additionally, it will not apply to the Local Intranet Zone and Trusted Sites Zone, which will allow business customers to maintain compatibility via continuing to use obsolete plugins where no viable alternative exists.
According to a recent blog post from Fred Pullen, IE’s product manager, and Jasika Bawa, security program manager, the out-of-date ActiveX blocking feature will allow users to:
- Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
- Interact with other parts of the Web page that aren’t affected by the outdated control.
- Update the outdated control, so that it’s up-to-date and safer to use.
- Inventory the ActiveX controls your organization is using.
However, those running older systems will not be able to take advantage of the new feature, with support restricted to the following configurations:
- On Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
- On Windows 8 and up, Internet Explorer for the desktop
This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.
- Read the IEBlog announcement in full here: Internet Explorer begins blocking out-of-date ActiveX controls
Is Internet Explorer the most Insecure Browser?
A recent “PWN2OWN” competition, run back in March this year, appears to confirm this notion; showing that, while Internet Explorer was certainly susceptible to attack, Firefox fared worse and Chrome and Safari were also far from immune.
So, while Internet Explorer is certainly not perfect, neither are its main competitors, and IE’s security is nowhere near as comparatively inferior as some might have you believe.
End-of-Support for Older Internet Explorer Versions
In line with Microsoft’s efforts to bring all users up-to-date with the latest Internet Explorer versions, a recent IEBlog post announced end-of-support dates for older configurations. As of January 12th 2016, only the following operating systems and browser version combinations will continue to be supported:
After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support.
- Read the IEBlog announcement in full here: Stay up-to-date with Internet Explorer
How Much Would You Pay to Extend Your XP Support?
Oh well, it’s only taxpayers’ money, plenty more where that came from.
<source>
Hi Jim. It takes a little user input to keep PC’s updated. I am amazed at the lack of updates on the PC’s that come my way, especially Java. I run Java but is it really needed? Daniel.
Hi Daniel – Whether Java is needed or not depends entirely on the individual and whatever software and sites he/she tends to use. All I know is; I’ve been Javaless for a long time now, must be 4 or 5 years, and never needed or missed it.
One less colander in the system is a good thing, right?
Hi Jim
Can you explain what Java does for a web page and why it becomes so vulnerable. I always thought I needed Java.
Daniel – I believe you may be making the common mistake of confusing “Java” with “JavaScript”, they are unrelated and two quite different animals.
It’s JavaScript which runs inside the browser to manipulate and enhance the contents of web pages… not Java.
JavaScript is generally built in to the browser – Java is a programming language completely separate from the browser.
Java also provides a plugin system which allows slimmed down Java programs known as “applets” to run inside the browser, but they are not integrated with the browser like JavaScript and run as a standalone program embedded within the web page. Java applets have have nothing to do with the look, feel and function of web pages… that’s down to JavaScript.
These days, Java applets are used rarely, if at all, on most popular websites.
HTH,
Cheers… Jim
Hi Jim
OK, then do the Java applets run through the JavaScripts or through the Java program installed on a PC? Or do Java applets come through as an active X installer? Can Java applets run without user permission and can the uninstall of Java eliminate this security hole? I always thought Java and JavaScripts were related. Pardon my ignorance. Daniel.
They run through the Java program installed on the PC.
No, the applets have nothing to do with the browser and are not on the PC anywhere, they are embedded in the web page.
The user would generally need to click on something, such as a Play button, in order for an applet to run. The applet is then executed within Java in a process separate from the browser itself.
What makes Java a security risk is its abnormally high number of vulnerabilities. Of course, exploiting those vulnerabilities isn’t necessarily that easy but if one does not need Java why take the risk.
Thanks Jim for the info, from what I read the weak link is the Java browser plugin. I have disabled mine in Internet Explorer 11, will probably uninstall Java and see if I can live without it. Don’t know if some of my software need Java about the only websites I regularly use is Facebook and You Tube. Daniel.