Next week’s Patch Tuesday updates for Windows will include a monumental security fix.
An update to Internet Explorer, for installation on PCs running Windows 7 Service Pack 1 or Windows 8.x, will introduce a new security feature called out-of-date ActiveX control blocking. Microsoft announced the planned changes in a post on the IE blog today.
ActiveX controls, which expand the capabilities of Internet Explorer in useful but also potentially dangerous ways, have been a headache for Windows users for more than a decade. Improvements in the design of ActiveX have progressively reduced its attack surface; the new framework provides a way to ensure that attackers can’t target known vulnerabilities in ActiveX controls that are installed but not updated to the most recent version.
For the initial release, this new feature takes dead aim at the single most dangerous ActiveX control of all: Java. Through the years, Java has been a favorite target of malware writers, who know that Windows PCs and Macs are likely to be running an outdated Java version. They’ve even automated the process, using exploit kits on booby-trapped web pages to install malware in drive-by attacks on systems with outdated Java versions.
In a blog post announcing the change, Microsoft cites its most recent Security Intelligence Report, which notes that in 2013 Java exploits represented well over 80 percent of exploit kit-related detections. In all cases, these automated attacks are targeting vulnerabilities for which a fix has already been released, but if the target PC is running an outdated Java version, it's a sitting duck.
The new feature uses a regularly updated XML file, hosted on Microsoft’s servers, to identify ActiveX controls that are not allowed to load. The initial release of versionlist.xml flags older versions of Java that are known to be unsafe; Microsoft says over time it will add other outdated and potentially dangerous ActiveX controls to the list.
With this update installed, all supported versions of Internet Explorer (IE 8 through 11 on Windows 7, and Internet Explorer for the desktop on Windows 8) will check the server-side block list whenever they encounter an ActiveX control on a web page. If the version is listed as out of date, the ActiveX control will not run, and the user will be prompted to update to the current, presumably safe version.
According to Microsoft, the following Java versions will be on the block list initially:
- J2SE 1.4, everything below (but not including) update 43
- J2SE 5.0, everything below (but not including) update 71
- Java SE 6, everything below (but not including) update 81
- Java SE 7, everything below (but not including) update 65
- Java SE 8, everything below (but not including) update 11
On a modern version of Internet Explorer, the warning looks like this:
If a web page attempts to load a vulnerable app outside of the browser, a different warning message appears:
Consumers will still have the option to run an unsafe control, but the blood-red warning message will prevent drive-by attacks from succeeding.
On enterprise networks, IT pros can change the configuration so that the out-of-date Java version is blocked and will not run.
For sites that require a specific older Java version, you can add the address of the web page to the Local Intranet Zone or Trusted Sites Zone, where the ActiveX blocking feature is disabled.
Additional features aimed at Windows network administrators include new Group Policy settings that support logging, central management of whitelisted domains, and the ability to disable the policy completely. (The IE blog post contains details of those IT-focused changes.)
With next week's changes, Internet Explorer is catching up with other browsers on the Windows platform, which have had similar functionality for a while. Firefox, for example, has a blocked plugins list that includes Java plugin 7 update earlier than 44 and Java Plugin 6 updates earlier than 45. Google Chrome introduced a similar blocklist in 2011.
Apple regularly declares outdated versions of Java as well, disabling them in Safari with a plugin blocker.
As always, the best way to avoid being hit by Java-related exploits is to avoid installing it in the first place. If that's not possible, these changes are a dramatic improvement over the current sorry state of Java security.