IE plays security catch-up, will block outdated Java plug-ins

Gregg Keizer

Microsoft today said that Internet Explorer (IE) will begin blocking out-of-date ActiveX controls -- the browser's proprietary plug-in format -- when the company updates the versions that run on Windows 7 and Windows 8 next week.

In a blog post, a pair of Microsoft managers said that IE8, IE9, IE10 and IE11 on Windows 7, as well as IE10 and IE11 on Windows 8's classic desktop, will be refreshed next Tuesday. The updated browser will then display a notification when a website tries to load an outmoded ActiveX control.

Initially, IE will only block outdated versions of Java.

"It's very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or let someone else control your computer remotely," Fred Pullen, a senior product manager for IE, and Jasika Bawa, a program manager from Microsoft's security team, said in the Wednesday blog.

When IE encounters an obsolete Java ActiveX control, the warning will let users choose between ignoring the alert, thus running the control, or updating the Java plug-in. Clicking on the "Update" button will direct the browser to the control vendor's website to download the newest version.

IT administrators will have several new Group Policy settings to manage IE on workers' PCs, including one that turns off the warning altogether and another that deletes the "Run this time" button and so prevents employees from overriding the notification.

After Tuesday, IE will block all but the current versions of Java. For Java 8, that means a warning will appear if the browser's running any version except for Java SE 8 Update 11, which Oracle released in mid-July.

Although Microsoft is starting with Java -- which has long been targeted by cyber criminals because of a glut of vulnerabilities, but also because users typically run outdated versions -- it promised to expand the blocking program.

"We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list," said Pullen and Bawa. They did not elaborate on what other plug-ins would be blocked, however, or hint at any timetable.

Microsoft is behind its browser-making rivals on locking out, or at least warning users of, outdated plug-ins. Apple's Safari, Google's Chrome and Mozilla's Firefox all have implemented some form of blocking of old, and potentially less-secure plug-ins.

(Microsoft calls its plug-ins "ActiveX controls," named after the company's own ActiveX technology, but they serve the same purpose as the plug-ins that work with other browsers.)

Some browsers have also taken the next step and banned plug-ins either entirely or very aggressively. Firefox 26, for example, which launched last December, put Java behind a "click-to-play" wall, requiring users to explicitly approve any execution of the plug-in, even it is current.

1  2  Next Page