Article ID: 2991000 - View products that this article applies to.
Expand all | Collapse all

On This Page

About this update

This update introduces the out-of-date ActiveX control blocking security feature. This feature keeps ActiveX controls up to date and helps make them safer to use in Internet Explorer. Many ActiveX controls are not automatically updated as new versions are released. It is very important to keep ActiveX controls up to date because malicious or compromised webpages can target security flaws in out-of-date ActiveX controls. By using the out-of-date ActiveX control blocking security feature, Internet Explorer lets you do the following:
  • Know when Internet Explorer prevents a webpage from loading common but out-of-date ActiveX controls.
  • Interact with parts of a webpage that are unaffected by out-of-date ActiveX controls.
  • Update out-of-date ActiveX controls so that they are up to date and safer to use.
  • Inventory the ActiveX controls that your organization is using.
Important notes 
  • Although the August Cumulative security update for Internet Explorer (MS14-051) provides this capability, out-of-date ActiveX controls will start being blocked on September 9, 2014, to provide organizations time to identify and resolve dependencies. For more information, see the More information section.
  • In the August Cumulative security update for Internet Explorer (MS14-051), the out-of-date ActiveX control blocking feature applies only to outdated versions of Java in Internet Explorer.
  • The Internet Explorer administrative templates were updated with four new Group Policy settings to support out-of-date ActiveX control blocking. You can download the updated Internet Explorer administrative templates here.
  • It can require up to twelve hours from the time that you configure the feature for the feature to be fully functional in Internet Explorer.
The out-of-date ActiveX control blocking feature works in the following environments:
  • Internet Explorer versions 8 through 11 on Windows 7 SP1 and later versions
  • Internet Explorer versions 8 through 11 on Windows Server 2008 R2 SP1 and later versions
  • All security zones except the Local Intranet Zone and the Trusted Sites Zone
For more information about blocking out-of-date ActiveX controls, go to the following websites:

Out-of-date ActiveX control blocking

List of blocked ActiveX controls

Internet Explorer begins blocking out-of-date ActiveX controls

Updated Group Policy Settings

Update information

For information about how to install the most recent cumulative security update for Internet Explorer, read the instructions on Microsoft Update.

For technical information about the most recent cumulative security update for Internet Explorer, go to the following Microsoft website:

https://www.microsoft.com/technet/security/current.aspx

More information

Starting September 9, 2014, out-of-date ActiveX controls will be blocked on computers that have the August Cumulative security update for Internet Explorer (MS14-051) or a later update applied. If your enterprise has a dependency on outdated versions of Java in the Internet Zone in affected versions of Internet Explorer, you are affected by this change.

If you are unsure of whether your enterprise has dependencies on outdated versions of Java or of which specific domains have dependencies on outdated versions of Java, please read about how to use the Turn on ActiveX control logging Group Policy setting in the Out-of-date ActiveX control blocking article on Microsoft TechNet.

Testing the out-of-date ActiveX controls feature

Collapse this imageExpand this image
assets folding start collapsed
If your organization has a dependency on an outdated version of Java, you can run the following test to mirror the end-user experience on September 9, 2014.
  1. On a test computer, install the August cumulative update for Internet Explorer.
  2. Set a registry key to stop downloading updated versions of the VersionList.xml file. To do this, run the following command:
    reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f
    Important After testing is complete, you must delete this registry key. Otherwise, this computer will stop receiving an updated VersionList.xml file that lists the out-of-date ActiveX controls. We do not recommend ever setting this registry key on an in-production computer.
  3. Copy the current VersionList.xml file from here to the following location:
    %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml
    Note If you are asked to overwrite the existing file, you should agree.
  4. To start blocking outdated versions of Java, open the VersionList.xml file, and then delete the first occurrence of latestgroup="1" (that is, the portion in bold type that follows):

    <groupentries>
    <groupentry groupname="Java(TM)" fwdlink="https://go.microsoft.com/fwlink/?LinkID=401352" latestgroup="1"/>
    <groupentry groupname="Java(TM) 1.4.2_43" fwdlink="http://" latestgroup="1"/>
    <groupentry groupname="Java(TM) 1.5.0_71" fwdlink="http://" latestgroup="1"/>
    <groupentry groupname="Java(TM) 1.6.0_81" fwdlink="http://" latestgroup="1"/>
    <groupentry groupname="Java(TM) 1.7.0_65" fwdlink="http://" latestgroup="1"/>
    <groupentry groupname="Java(TM) 1.8.0_11" fwdlink="http://" latestgroup="1"/>
    </groupentries>
  5. Restart Internet Explorer. You should see that websites that try to load outdated Java ActiveX controls will now display the out-of-date ActiveX control blocking notification.
If your organization has to have more time to lessen dependencies on outdated Java controls, you can take one of the following actions:
  • Turn off the feature completely. To do this, use the Turn off blocking of outdated ActiveX controls for Internet Explorer Group Policy setting (or the corresponding registry key).

    Note This is the less secure option.

  • Turn off the feature for a specific domain. To do this, use the Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains Group Policy setting (or the corresponding registry key). This setting lets you turn off the feature on the specific domains on which your enterprise has an outdated Java dependency.
Collapse this imageExpand this image
assets folding end collapsed

Properties

Article ID: 2991000 - Last Review: August 26, 2014 - Revision: 5.0
Applies to
  • Internet Explorer 11, when used with:
    • Windows 8.1 Enterprise
    • Windows 8.1
    • Windows 8.1 Pro
    • Windows RT 8.1
    • Windows Server 2012 R2 Datacenter
    • Windows Server 2012 R2 Essentials
    • Windows Server 2012 R2 Foundation
    • Windows Server 2012 R2 Standard
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
  • Internet Explorer 10, when used with:
    • Windows 8 Enterprise
    • Windows 8
    • Windows 8 Pro
    • Windows RT
    • Windows Server 2012 Datacenter
    • Windows Server 2012 Essentials
    • Windows Server 2012 Foundation
    • Windows Server 2012 Standard
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
  • Windows Internet Explorer 9, when used with:
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
  • Windows Internet Explorer 8, when used with:
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
Keywords: 
atdownload kbexpertiseadvanced kbsurveynew kbregistry KB2991000

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com