Export (0) Print
Expand All
Expand Minimize

Out-of-date ActiveX control blocking

ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a new security feature, called out-of-date ActiveX control blocking.

Out-of-date ActiveX control blocking lets you:

  • Know when Internet Explorer prevents a webpage from loading common, but outdated ActiveX controls.

  • Interact with other parts of the webpage that aren’t affected by the outdated control.

  • Update the outdated control, so that it’s up-to-date and safer to use.

The out-of-date ActiveX control blocking feature works with:

  • Internet Explorer 8 through Internet Explorer 11 on Windows 7 SP1 and up

  • Internet Explorer 8 through Internet Explorer 11 on Windows Server 2008 R2 SP1 and up

  • All Security Zones except the Local Intranet Zone and the Trusted Sites Zone

For more information about this new feature, see the Internet Explorer begins blocking out-of-date ActiveX controls blog.

What does the out-of-date ActiveX control blocking notification look like?

When Internet Explorer blocks an outdated ActiveX control, you’ll see a notification bar similar to this, depending on your version of Internet Explorer:

Internet Explorer 9 through Internet Explorer 11
Warning about outdated ActiveX controls (IE9+)
Internet Explorer 8
Warning about outdated ActiveX controls (IE8)

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of Internet Explorer:

Warning about outdated ActiveX controls outside IE

How do I fix an outdated ActiveX control or app?

From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version.

To get the updated ActiveX control

  1. From the notification bar, tap or click Update.

    Internet Explorer opens the ActiveX control’s website.

  2. Download the latest version of the control.

securitySecurity Note
If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking Run this time. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again.

To get the updated app

  1. From the security warning, tap or click Update link.

    Internet Explorer opens the app’s website.

  2. Download the latest version of the app.

securitySecurity Note
If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking Allow. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again.

How does Internet Explorer decide which ActiveX controls to block?

Internet Explorer uses Microsoft’s versionlist.xml file to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file.

You can see your copy of the versionlist.xml file here %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml, or you can view Microsoft’s version here Internet Explorer version list.

securitySecurity Note
Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt:

reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f

Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.

Out-of-date ActiveX control blocking on managed devices

Out-of-date ActiveX control blocking includes 4 new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the Administrative Templates for Internet Explorer page.

Group Policy settings

Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration.

ImportantImportant
Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption.

 

Setting Category path Supported on Help text

Turn on ActiveX control logging in Internet Explorer

Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management

Internet Explorer 8 through Internet Explorer 11

This setting determines whether Internet Explorer saves log information for ActiveX controls.

If you enable this setting, Internet Explorer logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don't configure this setting, Internet Explorer won't log ActiveX control information.

Note that you can turn this setting on or off regardless of the Turn off blocking of outdated ActiveX controls for Internet Explorer or Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains settings.

Remove the Run this time button for outdated ActiveX controls in Internet Explorer

Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management

Internet Explorer 8 through Internet Explorer 11

This setting allows you stop users from seeing the Run this time button and from running specific outdated ActiveX controls in Internet Explorer.

If you enable this setting, users won't see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

If you disable or don't configure this setting, users will see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.

Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains

Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management

Internet Explorer 8 through Internet Explorer 11

This setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

  • "domainname.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com".

  • "hostname". For example, if you want to include http://example, use "example".

  • "file:///path/filename.htm". For example, use file:///C:/Users/contoso/Desktop/index.htm.

If you disable or don't configure this setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

Turn off blocking of outdated ActiveX controls for Internet Explorer

Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management

Internet Explorer 8 through Internet Explorer 11

This setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, Internet Explorer stops blocking outdated ActiveX controls.

If you disable or don't configure this setting, Internet Explorer continues to block specific outdated ActiveX controls.

Remove the Update button in the out-of-date ActiveX control blocking notification for Internet Explorer

This functionality is only available through the registry

Internet Explorer 8 through Internet Explorer 11

This setting determines whether the out-of-date ActiveX control blocking notification shows the Update button. This button points users to update specific out-of-date ActiveX controls in Internet Explorer.

If you don't want to use Group Policy, you can also turn these settings on or off using the registry. You can update the registry manually or you can use an elevated command prompt and these commands to automatically turn on the settings.

 

Setting Registry setting

Turn on ActiveX control logging in Internet Explorer

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v AuditModeEnabled /t REG_DWORD /d 1 /f

Where:

  • 0 or not configured = Logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

  • 1 = Logs ActiveX control information.

Remove Run this time button for outdated ActiveX controls in Internet Explorer

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v RunThisTimeEnabled /t REG_DWORD /d 0 /f

Where:

  • 0 = Removes the Run this time button.

  • 1 or not configured = Leaves the Run this time button.

Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v contoso.com /t REG_SZ /f

Where:

  • contoso.com = A single domain on which outdated ActiveX controls won't be blocked in Internet Explorer. Use a new reg add command for each domain you wish to add to the Allow list.

Turn off blocking of outdated ActiveX controls for Internet Explorer

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f

Where:

  • 0 = Stops blocking outdated ActiveX controls.

  • 1 or not configured = Continues to block specific outdated ActiveX controls.

Remove the Update button in the out-of-date ActiveX control blocking notification for Internet Explorer

reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v UpdateEnabled /t REG_DWORD /d 0 /f

  • 0 = Removes the Update button.

  • 1 or not configured = Leaves the Update button.

Inventory your ActiveX controls

If you decide to inventory the ActiveX controls being used in your company by turning on the Turn on ActiveX control logging in Internet Explorer setting, Internet Explorer logs the ActiveX control information to the %LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv file.

Here’s a detailed example and description of what’s included in the VersionAuditLog.csv file.

 

Source URI File path Product version File version Allowed/Blocked Reason EPM-compatible

http://contoso.com/test1.html

C:\Windows\System32\Macromed\Flash\Flash.ocx

14.0.0.125

14.0.0.125

Allowed

Not in blocklist

EPM compatible

http://contoso.com/test2.html

C:\Program Files\Java\jre6\bin\jp2iexp.dll

6.0.410.2

6.0.410.2

Blocked

Out of date

Not EPM compatible

  • Source URI. The URL of the page that loaded the ActiveX control.

  • File path. The location of the binary that implements the ActiveX control.

  • Product version. The product version of the binary that implements the ActiveX control.

  • File version. The file version of the binary that implements the ActiveX control.

  • Allowed/Blocked Whether Internet Explorer blocked the ActiveX control.

  • Reason. The ActiveX control can be blocked or allowed for any of these reasons:

     

    Reason Corresponds to Description

    Version not in blocklist

    Allowed

    The version of the loaded ActiveX control is explicitly allowed by the Internet Explorer version list.

    Trusted domain

    Allowed

    The ActiveX control was loaded on a domain listed in the Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains setting.

    File doesn’t exist

    Allowed

    The loaded ActiveX control is missing required binaries to run correctly.

    Out-of-date

    Blocked

    The loaded ActiveX control is explicitly blocked by the Internet Explorer version list because it is out-of-date.

    Not in blocklist

    Allowed

    The loaded ActiveX control isn’t in the Internet Explorer version list.

    Managed by policy

    Allowed

    The loaded ActiveX control is managed by a Group Policy setting that isn’t listed here, and will be managed in accordance with that Group Policy setting.

    Trusted Site Zone or intranet

    Allowed

    The ActiveX control was loaded in the Trusted Sites Zone or the Local Intranet Zone.

    Hardblocked

    Blocked

    The loaded ActiveX control is blocked in Internet Explorer because it contains known security vulnerabilities.

    Unknown

    Allowed or blocked

    None of the above apply.

  • Enhanced Protected Mode (EPM)-compatible. Whether the loaded ActiveX control is compatible with Enhanced Protected Mode.

    noteNote
    Enhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of Internet Explorer. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft