October 2014 updates and a preview of changes to out-of-date ActiveX control blocking

This post describes the October updates for Internet Explorer that we are releasing today and provides a preview of updates to out-of-date ActiveX control blocking coming in November 2014.

October Updates

Microsoft Security Bulletin MS14-056 - This critical security update resolves one publicly disclosed vulnerability and fourteen privately reported vulnerabilities in Internet Explorer.  For more information see the full bulletin.

Security Update for Flash Player (3001237) - This security update for Adobe Flash Player in Internet Explorer 10 and 11 on supported editions of Windows 8, Windows 8.1 and Windows Server 2012 and Windows Server 2012 R2 is also available. The details of the vulnerabilities are documented in Adobe security bulletin APSB11-22. This update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash binaries contained within Internet Explorer 10 and Internet Explorer 11. For more information, see the advisory.

Updates to out-of-date ActiveX control blocking coming in November

As we shared back in September, and as part of our ongoing commitment to delivering a more secure browser, we want to help you stay up-to-date with the latest versions of popularly installed ActiveX controls. Today, we’d like to share two exciting updates to the out-of-date ActiveX control blocking feature: updates to our supported operating system and browser combinations and out-of-date Silverlight blocking.

Out-of-date ActiveX control blocking on Windows Vista SP2 and Windows Server 2008 SP2

Beginning January 12, 2016, we’re going to support the following operating system and browser combinations (for more info, see this announcement):

Windows operating system Internet Explorer version
Windows Vista SP2 Internet Explorer 9
Windows Server 2008 SP2 Internet Explorer 9
Windows 7 SP1 Internet Explorer 11
Windows Server 2008 R2 SP1 Internet Explorer 11
Windows 8.1 Internet Explorer 11
Windows Server 2012 Internet Explorer 10
Windows Server 2012 R2 Internet Explorer 11

Right now, the out-of-date ActiveX control blocking feature works on all of these combinations except Windows Vista SP2 and Windows Server 2008 SP2 with Internet Explorer 9. Support for these combinations is expected to start on November 11, 2014.

Out-of-date Silverlight blocking

Starting on November 11, 2014, we’re expanding the out-of-date ActiveX control blocking feature to block outdated versions of Silverlight. This update notifies you when a Web page tries to load a Silverlight ActiveX control older than (but not including) Silverlight 5.1.30514.0.

You can continue to view the complete list of out-of-date ActiveX controls being blocked by this feature here.

Enterprise testing for out-of-date Silverlight ActiveX control blocking

Remember, out-of-date ActiveX controls aren’t blocked in the Local Intranet Zone or the Trusted Sites Zone, so your intranet sites and trusted line-of-business apps should continue to use ActiveX controls without any disruption.

If you want to see what happens when an employee goes to a Web page with an out-of-date Silverlight ActiveX control after November 11, 2014, you can run this test.

  • On a test computer, install the most recent cumulative update for Internet Explorer.

  • Open a command prompt and run this command to stop downloading updated versions of the versionlist.xml file:

     reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList 
    /t REG_DWORD /d 0 /f
    

    Important:

  • After you’re done testing, delete this registry key. If you don’t, this computer will stop receiving the updated VersionList.xml file with all of the out-of-date ActiveX controls. Because of this, we don’t recommend setting this registry key in your production environment.

  • Copy the test versionlist-TEST.xml file from here to

     %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\
    
  • Rename this file to versionlist.xml. Make sure you agree to overwrite any existing file.Important:here

  • After you’re done testing, replace this file with its production version from

  • . We don’t recommend manually changing the versionlist.xml file in your production environment.

  • Restart Internet Explorer.

You’ll now get an out-of-date ActiveX control blocking notice when a Web site tries to load an outdated Silverlight ActiveX control.

Out-of-date Silverlight blocking prompt

If you need more time to minimize your reliance on outdated Silverlight controls, see the Out-of-date ActiveX control blocking on managed devices section of the Out-of-date ActiveX control blocking topic.

Additional resources

— Cassie Condon, Senior Program Manager, Internet Explorer

— Jasika Bawa, Program Manager, Internet Explorer

Comments

  • Anonymous
    October 14, 2014
    IE Crashing and not responding is very extreme !?! Why ?

  • Anonymous
    October 14, 2014
    my IE is doing the same thing. The exe does not seem to be working or coming on when I start my PC so I have to use Bing for Internet access. I have IE 11 installed but it just does not give me net access.

  • Anonymous
    October 14, 2014
    Nothing about the new features in Internet Explorer 11.0.13?

  • Anonymous
    October 14, 2014
    The comment has been removed

  • Anonymous
    October 14, 2014
    Summary:  -- All except for the most recent Silverlight activeX release 5.1.30514.0 July 2014 are blocked.

  • Anonymous
    October 14, 2014
    Hm i still get no any warning if Java6#45 is installed

  • Anonymous
    October 14, 2014
    e.g Java 7#40 will cause a warning/block but 6#45 not. So i assume the XML Version info is wrong for this Version.

  • Anonymous
    October 15, 2014
    It'd be in your best interest to take a peak here http://goo.gl/wxnsTl  and consider the information if you want some knowledge of what you're dealing with.

  • Anonymous
    October 15, 2014
    Oracle released new security updates for Java 8#25 and 7#71 But MS XML not updated to block older unsave ones (8#20 / 7#67) yet.

  • Anonymous
    October 15, 2014
    There is a wish. IE12 should release the preview version only for Windows 10 at least early. The present technical preview version was still IE12. And please also examine Windows 7 and offer which are turned Windows 8/8.1 and through which it passes in the future.

  • Anonymous
    October 16, 2014
    Still no fix for the broken drop-down lists in the F12 tools, despite the comment at the end of July that this had been fixed. connect.microsoft.com/.../ie11-emulation-screen-document-mode-and-user-agent-dropdowns-blank-for-all-sites

  • Anonymous
    October 16, 2014
    And when MS will add TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks ? tools.ietf.org/.../draft-ietf-tls-downgrade-scsv-00 to Schhannel ? As well as disable SSL3 by Default ?

  • Anonymous
    October 17, 2014
    The comment has been removed