Next week’s Microsoft Patch Tuesday security bulletins will not only bring nine new security bulletins but also an update to Internet Explorer that blocks outdated ActiveX controls, starting with Java.
Notifications will flag the older ActiveX controls and users will have the option to update the control immediately or run it for a particular instance. IT administrators will also have the option to configure the update to block older controls outright, and not just warn the user.
“Because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released,” Microsoft said this week in its announcement. “It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.”
The update, called out-of-date ActiveX control blocking, fires off a flag when the browser stops a website from loading an older control, while still allowing a user to interact with the rest of the page that is unaffected by the control. In addition to being able to update the control, IT shops can get an inventory of resident ActiveX controls via a new logging setting in Group Policy, Microsoft said.
The setting lists ActiveX controls that are permissible or will be blocked.
“Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM,” Microsoft said.
In all, there are four new Group Policy settings related to the new update, including an enforced blocking setting that denies users the ability to use the “Run This Time” option in the notification. Admins can also create a list top level domains, host names or files where IE will not block outdated controls. Admins can also disable the feature altogether. The feature will also be off by default in the Local Intranet Zone and Trusted Sites Zone allowing intranet sites and homegrown apps to run unimpeded inside the firewall.
Microsoft said next Tuesday’s update will start with blocking older versions of Java, including Java SE 8 prior to update 11, Java SE 7 prior to update 65 and Java 6 prior to update 81. The update will be supported only on IE 8-11 on Windows 7 SP1, IE versions supported on Windows 8 and higher, and all Security Zones in the browser.
“We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today,” Microsoft said. “By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online.”
As for the regularly scheduled Patch Tuesday security bulletins, two of the nine are rated critical, but three bulletins address remote code execution vulnerabilities. The two critical RCE bugs are in IE and Windows Media Center TV Pack for Vista respectively, while the third, rated important likely because it requires user interaction, is in Office, specifically OneNote 2007, SP 3.
Four other important bulletins address elevation of privilege bugs in Microsoft SQL Server, Windows Server, and Microsoft SharePoint Server 2013.
Finally, two security bypass features are also being patched in the .NET framework and Windows Server.