An update on the IE ActiveX change from Mike Nash

Hi there.  Mike Nash from the STU.  Earlier this year, during our response to the WMF zero exploit with an out-of-band band security update, I wrote a blog entry explaining the details of how we got to the decision to release that update early.  I received a lot of feedback from customers around the world that the blog entry and the internal insights into our decision-making process in that situation was very helpful and that we should make it a consistent practice for issues that have widespread impact on customers and need more clarity.


Based on the feedback I received from several customers on the upcoming change to the ActiveX capabilities in Internet Explorer in the next cumulative IE security update, I decided that this was a topic worthy of a blog entry.


So what’s going on?  Three things really:  The first relates to Microsoft’s involvement with the Eolas Technologies and the Regents of the University of California v. Microsoft patent case (Eolas v. Microsoft), which requires that Microsoft change the way that IE handles ActiveX controls.


So when we release the next cumulative IE security update, customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key. 


To help developers verify that their applications work well with the ActiveX change, Microsoft made it available to developers on MSDN on February 9, 2006.  Microsoft also made the change available as an optional update on Windows Update and the Microsoft Download Center on February 28th.  At the same time, the ActiveX change was made available to OEMs to include on all new systems shipping with Windows.


The second issue is that we have a number of security vulnerabilities in IE that are scheduled to be addressed in our next release of security bulletins on Tuesday April 11, 2006.   As you know, in order to reduce the complexity of updates and to improve quality, we ship all IE updates as cumulative updates.  As a result, the April security updates will include the non-security ActiveX change to respond to the Eolas case.


The third issue is that Microsoft is responding to a zero-day vulnerability in IE. The good news here is that we are on a path to include the fix for the zero day vulnerability as part of the April IE cumulative security update and possibly sooner if our ongoing monitoring and analysis of attempts to exploit vulnerability shows customers are being impacted seriously.


While the functionality that we changed as part of the response to the lawsuit is a small part of the functionality of IE, we did get feedback from some ISV partners and from some enterprise customers that they need a little more time to test and update their applications. 


So I met with the team over the last few days and we decided to make the following changes:

  1. New machines that ship with Windows will include the ActiveX change. 

  2. For our April IE cumulative security update, we will include the IE ActiveX change in the security update, but we will create a “compatibility patch” (deployed like a hotfix) that allows customers to turn off the change for a limited period of time through the June update cycle (2nd Tuesday in June) to provide time for enterprise customers to resolve compatibility issuess. 

So, the real question you are asking is “Mike, what should I do?”  Here is what I would do:


·         For Enterprise Customers: 

o       Test the ActiveX change that we shipped on February 28th.

o       Deploy the cumulative IE security update when it ships.

o       If you have concerns about application compatibility with the ActiveX change, then deploy the compatibility patch to temporarily revert back to the old behavior for Active X.  I STRONGLY advise that you NOT use this patch if you can avoid it, but if you do use the patch, as soon as you fix your application, remove the patch so that you can be sure that your applications work with the new ActiveX functionality.

o       Know that starting in June we really will not be supporting the old ActiveX behavior. 

·         For ISVs

o       Test your applications with the new IE ActiveX change.

o       If you have problem, let your Microsoft representative know.

o       Make sure that you have updated versions of your applications available and in the hands of your customers as soon as possible, since starting in June the old ActiveX control behavior won’t be supported.

·         For End-Users

o       Use Windows Update (and ideally Microsoft Update) to keep your systems up-to-date


If you have any questions, I want your feedback.  My email is



*This posting is provided “AS IS” with no warranties, and confers no rights.*