back to article Now even Internet Explorer will throw lousy old Java into the abyss

Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it's got its eye set squarely on Java. Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and …

  1. Denarius

    the world is weird now

    good move Microsoft. Hard to believe I wrote that I know, but one has to encourage good decisons. M$ has so few of them

    1. DNTP

      Re: the world is weird now

      "Late" is better than never, but it usually sucks compared to "sooner". They should just make the default IE homepage a bunch of links to better browsers and call it a day. Turn IE into a dedicated system update downloader.

      1. Anonymous Coward
        Anonymous Coward

        Re: the world is weird now

        Yeah, this update couldn't have come at a better time, unless a decade ago would be considered better. Now there's just the question of when Active heX will be getting the boot...

        1. Anonymous Coward
          Holmes

          Re: the world is weird now

          I've been administering different versions of Windows safely and productively for many, many years now, including quite a few current instances of Win 8.1. I also use different flavors of Linux, Android, and Chrome OS when I need them - also safely and productively. The right tool for the right job.

          If you can't figure out how to do the same, that reflects more poorly on you than on anything M$ has or hasn't done.

          While sometimes a bit slow and cranky, Windows has been a completely adequate OS since XP. The folks who have problems are the ones downloading pirated music, movies and warez - and it's hard to feel much sympathy.

          1. Pascal Monett Silver badge

            Re: The folks who have problems are the ones downloading pirated music, movies and warez

            Bullshit.

            The folks who have trouble are the many, many people who have computers and don't know how to avoid those problems.

            They are folks for who a computer is a calculator with a screen, and they already have trouble with calculators.

            They are people who have had this clunky, noisy thing plopped on their home desk by relatives telling them that they can see their grandchildren with it, and it works - more or less, but it is really confusing.

            Not everyone is an IT engineer and you shouldn't have to be one to use a PC. Unfortunately, these days you do if you want to avoid trouble. And most people just don't have either the time or the inclination to do that.

            Reducing the world to a bunch of pirates or saintly YOU reflects very poorly on your level of humanity.

            1. Anonymous Coward
              Anonymous Coward

              Re: The folks who have problems are the ones downloading pirated music, movies and warez

              Sure, for many people it's just a tool - but they want it full of any software they can put their hands on - even if they will rarely use it, or are utterly unable to use it properly. Of fill it with music and movies "just because there are sites when you can get them for free".

              Although it is true you can be compromised visiting legitimate web sites which got compromised as well, it's also true lot of troubles comes from people visiting "unsafe" (just to be polite) web sites, installing a lot of pirated software and looking for it, as well looking for pirated media contents.

              Also "I'm running a pirated copy of Windows, because I'm smart I'll turn off Windows Update so Microsoft can't track me!" - same for Office, Photoshop, etc. etc.

              Too many think "any software and media should come for free - it's easy to copy, why should I pay for it?" - it varies from country to country - but it's always a big percentage, crooks know, and take advantage of it. Especially now compromised machines and their data have a good "commercial value".

              Human kind is greed enough to be its own nemesis...

          2. phuzz Silver badge
            Thumb Up

            Re: the world is weird now

            I have also been administering many different versions of Windows safely and productively, and one of the ways I have done that, is by never installing Java if I could help it.

            And if I did have to install it I'd lock it down in the firewall to local IPs only.

  2. James O'Shea

    pretty big peg

    "Microsoft's own research pegs the figure at between 84.6 and 98.5 per cent."

    that's a damn big peg, no matter how you count it.

    1. Anonymous Coward
      Anonymous Coward

      Re: pretty big peg

      The biggest Java exploit of all is the Ask Toolbar.

      1. graeme leggett Silver badge

        Re: pretty big peg

        I found how to turn off "third party offers" from the java install the other day.

        buried deep under the advanced settings...

        1. chris lively

          Re: pretty big peg

          Please do tell.

  3. david 12 Silver badge

    WTF ????

    IE blocks blocked Active X controls. Has done so for what, decades? The list of blocked Active X controls is updated regularly. Repeatedly. All the time.

    To restate: IE is "automatically blocking old, insecure add-ons", and has been since I was in short pants.

    So WTF is actually going on ???

    I could guess that the list of blocked ActiveX controls is now going to include old versions of Java, but that would be only guessing, since, like the rest of the echo chamber that is the internet, this article includes no checkable resources: the author has clearly repeated some other unsourced report, all of which are saying the same thing, none of which are giving references.

    1. diodesign (Written by Reg staff) Silver badge

      Re: WTF ????

      Calm down, love. You're causing a scene.

      From Microsoft's IE Blog (it's linked in the article):

      "As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls."

      The keyword here is "out-of-date". Yes, IE blocks dodgy ActiveX controls but what's significant here is that MS has decided to rule out all but the very latest Java plugins. So if you'd OK'd an earlier version, tough: it's now out of date.

      C.

      1. david 12 Silver badge

        Re: WTF ????

        Missed the link. My Error. Sorry. Would have written that differently if I had found the link. Would not have said "WTF" if I had found the link and read the link. Would have been calmer. My reaction was totally only based on reading the article.

        Instead, would have pointed out that the new feature was the button helping you to update a supported third-party Active-X control.

        Slowly, the article, total nonsense before, starts to come into focus. FF already has, and has had for a long time "a feature that prompts you to update supported third-party addins".

        Prior to this release, IE could only throw lousy old Java into the abyss. Now, like competing products, it can notify you about upgrades.

        But old versions of IE will still only be able to alert users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure.

        Enhanced third party support from MS is a newsworthy step. It will be interesting to see what the business analysts make of this announcement

  4. david 12 Silver badge

    >There will be some exceptions to IE's ActiveX blocking feature, though.... the feature is only coming to recent versions of Microsoft's operating system and browser >

    ActiveX blocking is a feature of every version of IE that supports ActiveX

  5. Velv

    Great move, however the cynical side of me predicts a substantial number of internal applications failing in the business world.

    Maybe it will encourage more businesses to consider refreshing their estate more often...

    1. tony2heads

      internal applications

      Out of curiosity - does anybody know of mission critical business apps running in ActiveX??

      1. Titus Aduxass
        Facepalm

        Re: internal applications

        Yes, we have one here.

        And I'm relieved this ActiveX blocking malarky only affects IE8+ otherwise it would interfere with all our lovely IE6s and IE7s running on XP. Which is our standard platform. Still.

  6. Vince

    Um, certainly my IE has been doing this for a few weeks or so at least now - at least on my Windows 8.1 computers...

  7. Anonymous Bullard

    smug

    The browser of my choice has been blocking ActiveX since v1.

    But seriously, though.. if you cared that much about security then you shouldn't really be using IE.

    1. Grikath

      Re: smug

      and the track record of the other browsers is ....what again? There is no such thing as a secure, bug-free browser, and as soon as browser [x] becomes popular it becomes a target for exploitation.

      Many, many of the security-minded crowd tend to forget that security through obscurity has worked wonders for them over the years. Small user fractions are simply not interesting targets.

      Linux and the alternative browsers used to have such a tiny market percentage that the black hats simply did not bother at all with them, thus raising a false sense of security, and quite a bit of hobnobbery about it. With the rise of popularity of the linux platform and the "alternative" browsers those systems suddenly did become attractive for exploitation, and bugs and vulnerabilities did prove to exist in said software. Just like in Windows/IE.

      Which is when much sniggering ensued about the gnashing of teeth of those who had to eat their own rantings over the past decades.

    2. MyffyW Silver badge
      Happy

      Re: smaug

      The real security fail regarding IE is clinging to obsolete versions of the browser, rather than any specific holes in the latest patched version.

      (dips head below parapet, waits for flames)

    3. Anonymous Coward
      Anonymous Coward

      Re: smug

      "But seriously, though.. if you cared that much about security then you shouldn't really be using IE."

      You know IE has consistently had far fewer security holes than say Chrome for years now?

  8. Stretch

    "will throw lousy old Java into the abyss"

    Can you not phrase your headline in a slightly more accurate way? This is related to buggy ActiveX controls. Its not about Java. Java is the USEFUL thing that this ActiveX control provides, and as it is so USEFUL and EXCELLENT that it is ubiquitous enough for the ActiveX control to be worth attacking. If you make such silly statements then uneducated people like david12 above will start parroting what you are saying.

    1. Anonymous Coward
      Anonymous Coward

      Re: "will throw lousy old Java into the abyss"

      It's not the ActiveX control that's being exploited, it's the version of the JVM that it gives access to!

    2. Not That Andrew

      Re: "will throw lousy old Java into the abyss"

      Useful and ubiquitous does not equal excellent

  9. IGnatius T Foobar
    FAIL

    Microsoft FAIL

    This just in: the world's least secure browser blocks a third party plugin. Nice try, Microsoft. IE is still swiss cheese.

    1. Grikath

      Re: Microsoft FAIL

      Eadon , is that you? :P

    2. Anonymous Coward
      Anonymous Coward

      Re: Microsoft FAIL

      "This just in: the world's least secure browser blocks a third party plugin. Nice try, Microsoft. IE is still swiss cheese."

      But still better at blocking malware and phishing than most other browsers. And has been for at least 5 years:

      http://www.eweek.com/c/a/Windows/Microsofts-IE-8-Effective-at-Blocking-Phishing-Malware-Report-Says-225292/

  10. g00se
    FAIL

    Why?

    It makes sense when you consider that Cisco's most recent security audit report found that 91 per cent of all web-based exploits in 2013 took advantage of Java vulnerabilities.

    Errr ... as long as the OS on which it's running is ... (fill in appropriately)

    I for one would welcome comments from authors of plugins for said OS as to why they could be difficult to secure

    1. Anonymous Coward
      Anonymous Coward

      Re: Why?

      Do you know that OSX and Linux can be compromised via Java as well?

    2. Anonymous Coward
      Anonymous Coward

      Re: Why?

      "Errr ... as long as the OS on which it's running is ... (fill in appropriately)"

      Android?

  11. Destroy All Monsters Silver badge
    Holmes

    Well, Java was the first to sandbox stuff.

    Yes .... Even if it turned out later that the sandbox was leaking all over the place. Imagine what would have happened if Microsoft had managed to push its own "optimized" version.

    Anyway, these days interactive stuff is running as JavaScript in the browser (and what amazing stuff it is) and the whole application stack complete with MVC core is moving back from the server to the browser so I expect the attack surface to increase markedly there - unless people now know what they are doing. Hah.

    Next sandbox: run the whole browser in its own VM.

  12. DerekCurrie
    Windows

    Seeing As Microsoft Started Hating Java After Sun Legally Flushed J++ in 2001…

    … I'm extremely surprised Microsoft didn't take a dump on Java in IE years ago!

    For newbies, some background: See the section 'Sun's litigation against Microsoft" in the following article:

    http://en.wikipedia.org/wiki/Visual_J++

    BTW: Some surprising Java news this week: Oracle has now begun babysitting Java on the Internet by deactivating it's JRE at the time of any new security update, or after a pre-configured time period. Profoundly embarrassing to stupid Oracle, but a necessary step seeing as Oracle destroyed Java sandboxing, the fools.

    1. Not That Andrew

      Re: Seeing As Microsoft Started Hating Java After Sun Legally Flushed J++ in 2001…

      I'm pretty sure sandboxing was borked before Oracle got their hands on Java.

  13. Bucky 2

    but not Vista?

    I'm puzzled. Isn't Vista a supported operating system?

    I mean, I know that it's not well-loved. But why go out of the way to specifically exclude it from the update?

    1. Ken Hagan Gold badge

      Re: but not Vista?

      I'm puzzled too, but for a different reason.

      " Only IE8 and later will get it, and then only when they're running on Windows 7 SP1 or Windows 8.x."

      What sequence of dodgy upgrades do you have to dance to end up with IE8 on Win7sp1?

      1. Dan Paul

        Re: but not Vista?

        Isn't IE 8 the earliest version that was compatible with Windows 7?

        Then they say that only Win 7 SP1 and Win 8.1 will be given this capability because they are the only compatible (and most secure) os's.

  14. Henry Wertz 1 Gold badge

    A bit disingenuous?

    "While that may sound harsh, it's actually generous."

    It actually sounds a bit disingenous to have Java as the ONLY thing on the list; what about insecure Flash versions, old/insecure Silverlight versions, those ActiveX Office plugins of various types, and a slew of other ActiveX with serious security problems? But *shrug*, anyway, it's true they at least are not blocking current version.

  15. chris lively

    " Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure."

    All ActiveX controls will be blocked by default? Woot!

    "Microsoft will maintain the list of verboten ActiveX controls itself and will update it as new versions are released or new vulnerabilities are uncovered."

    Oh... So typical Microsoft crap. They have a good idea and, as usual, barely implement the important bits.

    1. Anonymous Coward
      Anonymous Coward

      "All ActiveX controls will be blocked by default? Woot!"

      You can choose to do that.

      Default setting is that they require to be signed / not blacklisted / and you must approve them individually on execution

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like