Microsoft announced yesterday that it will block outdated Flash Player ActiveX versions on Windows 7 and Windows Server 2008 R2 starting October 11, 2016.
Flash Player does not get updated automatically on Windows 7 or Windows Server 2008 R2 unlike on newer versions of Windows where the updating is done via Windows Updates.
While some Windows customers update the ActiveX version of Flash Player manually each time a new version is released, outdated versions of Flash Player may be used on others.
Considering that Flash is one of the main attack vectors as old versions have more vulnerabilities than Swiss Cheese has holes, it is a security risk to load Flash content using Internet Explorer if the Flash version is outdated.
Blocking old Flash Player ActiveX content
Here are the details: starting October 11, 2016 Adobe Flash Player content will be blocked automatically on page load if outdated versions of Flash Player are used on the system.
Microsoft notes that the following versions are considered as outdated:
- Any version before Adobe Flash Player 21.0.0.198
- Any version before Adobe Flash Player Extended Support Release 18.0.0.241
Tip: The versions will change over time as updates get released. You find the latest versions the blocking applies to on Microsoft’s IT Center site. The same page lists information about outdated Java and Silverlight controls as well.
Note that Local Intranet Zone and Trusted Sites Zone sites are not affected by this. This is done primarily to make sure that Enterprise and business customers can continue using applications that rely on Flash ActiveX controls without disruption.
Internet Explorer warns you once per tab, regardless of how many Flash content bits are on it. The warning message reads “Flash Player was blocked because it is out of date and needs to be updated”.
The prompt lists an option to update Flash Player, or to run the control this time.
Interestingly enough, non-admin users who use Internet Explorer 11 won’t see “see any out-of-date Flash ActiveX control blocks” according to Microsoft.
System administrators may enable out-of-date Flash blocking for all users by running the following command from the command prompt:
reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExt” /v NonAdminSuppressEnabled /t REG_DWORD /d 0 /f
Group Policy
The following Group Policy policies are available to manage the blocking feature and customize it.
- Turn on ActiveX control logging in IE – Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd-on Management
- Remove the Run this time button for outdated ActiveX controls in IE – Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd-on Management
- Turn off blocking of outdated ActiveX controls for IE on specific domains – Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd-on Management
- Turn off blocking of outdated ActiveX controls for IE – Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd-on Management
Registry
The same options are also available via the Registry. Note that there is one additional option that lets you remove the update button from the prompt.
reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExt” /v AuditModeEnabled /t REG_DWORD /d 1 /f
reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExt” /v RunThisTimeEnabled /t REG_DWORD /d 0 /f
reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExtDomain” /v example.com /t REG_SZ /f
reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExt” /v VersionCheckEnabled /t REG_DWORD /d 0 /f
reg add “HKCUSoftwareMicrosoftInternet ExplorerVersionManager” /v UpdateEnabled /t REG_DWORD /d 0 /f
Resources
The following resource sites provide you with additional information:
- Blocked out-of-date ActiveX controls
- Blocking out-of-date Flash ActiveX controls on IE11
- Out-of-date ActiveX control blocking
- Update to block out-of-date ActiveX controls in Internet Explorer