Microsoft to block outdated Java versions in Internet Explorer

Microsoft to block outdated Java versions in Internet Explorer

Summary: Next week's Patch Tuesday updates will include a much-needed fix for Internet Explorer, blocking outdated versions of the Java ActiveX control and closing one of the most popular vectors for installing malware.

TOPICS: Security, Oracle, Windows

Next week’s Patch Tuesday updates for Windows will include a monumental security fix.

An update to Internet Explorer, for installation on PCs running Windows 7 Service Pack 1 or Windows 8.x, will introduce a new security feature called out-of-date ActiveX control blocking. Microsoft announced the planned changes in a post on the IE blog today.

ActiveX controls, which expand the capabilities of Internet Explorer in useful but also potentially dangerous ways, have been a headache for Windows users for more than a decade. Improvements in the design of ActiveX have progressively reduced its attack surface; the new framework provides a way to ensure that attackers can’t target known vulnerabilities in ActiveX controls that are installed but not updated to the most recent version.

For the initial release, this new feature takes dead aim at the single most dangerous ActiveX control of all: Java. Through the years, Java has been a favorite target of malware writers, who know that Windows PCs and Macs are likely to be running an outdated Java version. They’ve even automated the process, using exploit kits on booby-trapped web pages to install malware in drive-by attacks on systems with outdated Java versions.

In a blog post announcing the change, Microsoft cites its most recent Security Intelligence Report, which notes that in 2013 Java exploits represented well over 80 percent of exploit kit-related detections. In all cases, these automated attacks are targeting vulnerabilities for which a fix has already been released, but if the target PC is running an outdated Java version, it's a sitting duck.

The new feature uses a regularly updated XML file, hosted on Microsoft’s servers, to identify ActiveX controls that are not allowed to load. The initial release of versionlist.xml flags older versions of Java that are known to be unsafe; Microsoft says over time it will add other outdated and potentially dangerous ActiveX controls to the list.

With this update installed, all supported versions of Internet Explorer (IE 8 through 11 on Windows 7, and Internet Explorer for the desktop on Windows 8) will check the server-side block list whenever they encounter an ActiveX control on a web page. If the version is listed as out of date, the ActiveX control will not run, and the user will be prompted to update to the current, presumably safe version.

According to Microsoft, the following Java versions will be on the block list initially:

  • J2SE 1.4, everything below (but not including) update 43
  • J2SE 5.0, everything below (but not including) update 71
  • Java SE 6, everything below (but not including) update 81
  • Java SE 7, everything below (but not including) update 65
  • Java SE 8, everything below (but not including) update 11

On a modern version of Internet Explorer, the warning looks like this:


If a web page attempts to load a vulnerable app outside of the browser, a different warning message appears:


Consumers will still have the option to run an unsafe control, but the blood-red warning message will prevent drive-by attacks from succeeding.

On enterprise networks, IT pros can change the configuration so that the out-of-date Java version is blocked and will not run.

For sites that require a specific older Java version, you can add the address of the web page to the Local Intranet Zone or Trusted Sites Zone, where the ActiveX blocking feature is disabled.

Additional features aimed at Windows network administrators include new Group Policy settings that support logging, central management of whitelisted domains, and the ability to disable the policy completely. (The IE blog post contains details of those IT-focused changes.)

With next week's changes, Internet Explorer is catching up with other browsers on the Windows platform, which have had similar functionality for a while. Firefox, for example, has a blocked plugins list that includes Java plugin 7 update earlier than 44 and Java Plugin 6 updates earlier than 45. Google Chrome introduced a similar blocklist in 2011.

Apple regularly declares outdated versions of Java as well, disabling them in Safari with a plugin blocker.

As always, the best way to avoid being hit by Java-related exploits is to avoid installing it in the first place. If that's not possible, these changes are a dramatic improvement over the current sorry state of Java security.

Topics: Security, Oracle, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Oh thank heavens

    There's a lot of old Java out there, and people certainly aren't as diligent as they should be about keeping it up to date. I personally feel Java has no place in the browser anymore. Other than Flash (for compatibility purposes) the age of the plug in should be over.
    • Except that...

      MANY vendors and suppliers still have web applications that REQUIRE Java 6. This will literally break design environments, ADP, supplier sites, etc.

      Bad move. Java 7 is a crap hole of incompatibility in the corporate world. What a mess.
      • Won't be a problem

        That won't really be a problem because the headline is false (big surprise). The reality is they're making the warning dialog bigger. We use group policy to control it so the defaults are really only relevant to end users.
        Buster Friendly
      • If your business needs it, you can always set group policy.

        Relax: If your business needs it, you can always set group policy, as Buster indicates.

        This is really aimed at consumers who don't know any better. Consumer apps are updated far more often, so it's not an issue for most people.
      • Looks like you can still run Java 6

        From the article:

        Java SE 6, everything below (but not including) update 81

        In fact it looks like they're supporting older versions (1.4 and 5 too) but only the latest update of each.

        So, all in all it looks like a relatively benign "fix".
        Robert Crocker
      • These shouldn't be web applications

        there's no reason these apps can't (and shouldn't) run in the desktop.... there are tons of great real-time update and launch techniques for Java, like Java Web Start.

        Anyone forcing binary (or byte code) code to launch from something as exposed and vulnerable as a web browser is doing the users of their product a grave disservice. Microsoft is certainly not at fault for thwarting old stacks from running... they're doing what they have to.
      • Did you read?

        Java SE6 is supported, if you have the latest patch. If you don't have the latest security patch, it will warn you.
      • That'd Be a Good Thing

        in the long run. The loss of business because they use Java and / or Flash for that matter, will force someone in that organization to code up something new that meets the new standard for the browser of today.
        The more people don't put Java and Flash on their machines will, for a short while, "break the internet" until web site owners start coding the same "lost services" / "broken services" w/ HTML5.
        Crashin Chris
  • You really don't need the plugin

    You really don't need the java plugin unless you have some specific in-house stuff that uses it and then you can only enable it from that security domain. Newer Enterprise applications use Java webstart rather than the plugin.
    Buster Friendly
    • You're thinking corporate PCs and intranets, but...

      ...the real problem is Internet banking (many banks' Web sites require Java) and interactive Web sites, where Java is widespread. There are also essential local applications that either are coded in Java or have Java modules - for example, in Brazil, all software distributed by the Federal Revenue Secretariat (equivalent to the IRS) and used by individuals, corporations and accountants to file tax statements and returns requires Java to run.
      • Well that's plain stupid

        if it is in the browser. There's no excuse for that in this jQuery/Angular/HTML5 age.
    • B2B

      a lot of B2B web platforms use Java. Our biggest wholesaler has their web based order and tracking portal as a huge Java Plugin.
  • Want to use Java ?

    Keep it boxed up in a VM
    Alan Smithie
    • Why?

      Why? The issue is the browser plugin and not the JRE even though reporters are not good at explaining, or probably don't understand, those are not the same thing. Java itself is much larger than a single JRE implementation.
      Buster Friendly
  • JAVA = Just Another Virus Application

    java should have never been enabled, what utter garbage ware.
    Java the last refuge of the incompetent.
    Reality Bites
    • So that's why

      So THAT's why it's key enterprise platform in the world. We're all idiots!
      Buster Friendly
      • "We're all idiots"

        Unfortunately that is correct. We all have our moments often fallowing laziness.
      • Java's dominance is a mystery to me

        although that dominance is largely exaggerated I think, as developer surveys all still put pure C in the lead, and always have.

        I kinda sorta understand Java in the back-end, as administrators can overlook Java's huge security problems by ensuring that no arbitrary code is ever executed, and server boxes don't go cruising the web.

        But really? Java is for folks who aren't willing to commit to a server architecture. Java's only main advantages over other languages are that its (a) a managed environment with garbage collection and no pointers, and (b) that its a portable platform, and can run everywhere close to as is (though this is also true of the major web platforms like PHP, Ruby, and Python.)

        And to do this, you have to give up C's power and speed, PHP's ease of development, C#'s vastly superior framework (LINQ ahem), and Ruby's modern paradigmed MVC pattern.

        Java's a great language for Android - but honestly, I don't know what other purpose it serves other than to provide a clunky inferior "let's look a little but not a lot like the native platform" UI for clients (I'm looking at you Swing), and to provide a slow, unwieldy, but highly portable back end for servers, with lots of cheap new CSci grads available to work on it.
  • Won't affect those using XP.

    Just saying. :)
    • That's the least of their worries

      XP users have so many threats to worry about (and that's only getting worse from now on) that Java is just one more and probably a lesser one in comparison.