Debra Littlejohn Shinder on August 11, 2014
Last month, International Business Times reported that a study from Bromium Labs found that Microsoft’s Internet Explorer was the web browser most often targeted by attackers during the first half of this year – which really comes as no surprise.
After all, versions 8-11 of Internet Explorer, taken together, make up 53.66 percent of the web browser market, according to the July statistics from NetMarketShare.com. That doesn’t even count the 3.52% of people who are still using IE 6.0 despite the fact that even Microsoft itself has told users to stop using it.
More troubling is the stat showing more than twice as many discovered vulnerabilities in IE when compared to Chrome and Firefox. Of course this makes sense when you think about it; if more people are focusing on looking for vulnerabilities in IE so they can attack it, more will be found. Either way, it’s not good news for Microsoft.
The company is well aware of this and has incorporated many new security mechanisms into each subsequent release of the browser. It also regularly releases security updates to patch the vulnerabilities that come to light. This month’s Patch Tuesday is expected to bring us more than just patches; Microsoft is actually adding a new security feature to Internet Explorer. It’s called Out-of-date ActiveX Control Blocking.
ActiveX was developed by Microsoft way back in the 1990s to display animations and other enhanced content through the installation of small programs (controls). Some web sites require that you install certain controls to display their content properly. Many ActiveX controls are created by third parties. The problem is that since these are executable programs, attackers can create malicious controls or exploit vulnerabilities in existing controls.
Even legitimate ActiveX controls can have security flaws like any other software. That means they need to be updated regularly like other software – but many ActiveX controls are outdated. That’s where this new feature, Out-of-date ActiveX Control Blocking, comes in. When a page tries to load an ActiveX control in IE 8 through 11 running on Windows 7 SP1 and later operating systems, the feature will notify you if the control is outdated and let you update the control. Meanwhile you can still use the parts of the web page that don’t use the outdated control.
For consumers, the new feature doesn’t take away your ability to override and run the control as is if you want to. When you get the notice that the control was blocked, you’ll have two options: you can update the control at this time, or you can run it this one time. If you select update (which you should generally do unless you have some good reason not to), you’ll be taken to the control’s web site where you can download the latest version. In a business environment, IT pros will be able to configure the feature to always block outdated controls and not allow users to run them.
This new feature will be configured through four new Group Policy settings. These include:
- Turn on ActiveX control logging in Internet Explorer
- Remove “Run this time” button for outdated ActiveX controls in Internet Explorer
- Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
- Turn off blocking of outdated ActiveX controls for Internet Explorer (turns the feature off completely).
Because exploits of controls represent a large percentage of the exploits that are detected, this new feature should be an important step in making Internet Explorer a more secure browser. You can read more about the new feature in the IE blog on the MSDN web site.
Update: “The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9.”