Microsoft announced last week that this month’s Update Tuesday cycle would bring a patch for Internet Explorer that would block old ActiveX controls in the browser, including outdated builds of Java.The company has however changed its mind and today has announced that Internet Explorer will actually be updated to start blocking old ActiveX control next month, as the company wants to give users 30 more days before implementing this series of changes.
While no reason has been provided for this delay, it’s safe to say that Microsoft is still working on the file that includes the ActiveX controls supposed to be blocked after the update.
As we’ve already told you, Internet Explorer will determine whether an ActiveX control should be blocked or not with the help of a versionlist.xml file hosted on Microsoft servers and which will be updated regularly in order to stop from loading as many outdated items as possible.
“Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs,” Microsoft explains in today’s announcement.
“The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.”
Microsoft has also confirmed that in organizations where old Java applications are being used, IT admins can disable the feature even if the Internet Explorer update is applied.
“There are several ways to disable this feature. Microsoft provides updated IE group policy administrative templates which include 4 new group policies to control this feature. Two of these group policies can be used to disable this feature on a per domain basis or entirely,” the company notes.
The patch supposed to help Internet Explorer block outdated ActiveX controls will be rolled out for Windows users next Update Tuesday, which takes place on September 9. As usual, it’s going to be shipped to everyone via Windows Update, so no user interaction would be required, unless IT admins want to manually deploy the patch.
Here are the java versions to be blocked starting next month:
• J2SE 1.4, everything below (but not including) update 43
• J2SE 5.0, everything below (but not including) update 71
• Java SE 6, everything below (but not including) update 81
• Java SE 7, everything below (but not including) update 65
• Java SE 8, everything below (but not including) update 11