Microsoft Office: ActiveX is turned off
It's been quiet for a while, but ActiveX is still around. Upcoming Microsoft Office versions will finally switch off support. At least almost.
(Image: IB Photography/Shutterstock.com)
Microsoft has announced that ActiveX support will be switched off by default with the next Microsoft Office versions. This means that the end of ActiveX components, which are considered to be extremely insecure, is approaching inexorably.
Microsoft has explained the changes in the Admin Message Center. "The setting for ActiveX objects will change from 'Ask before enabling all controls with minimal restrictions' to 'Disable all controls without notification'. This change affects the Win32 desktop versions of Word, Excel, PowerPoint and Visio," Microsoft writes there. The setting corresponds to the already existing group policy "DisableAllActiveX".
Practical implications
For the upcoming Microsoft Office 2024, the changes will come into force on the release date in October of this year. Anyone using Microsoft 365 apps will have the changes applied to their systems as part of a phased roll-out from April 2025. "Users will no longer be able to create or interact with ActiveX objects in Office documents if this change has been implemented," explains Microsoft. "Some existing ActiveX objects will remain visible as a static image, but it will not be possible to interact with them."
Videos by heise
According to Microsoft, a message about blocked content will appear in "non-commercial SKUs" of Office in such a case: "BLOCKED CONTENT: Default Setting for ActiveX Controls have changed. Please go to Trust Center to review your ActiveX settings", can be read on a screenshot.
ActiveX: Not completely thrown out again
However, Microsoft is still not pulling the plug on ActiveX for good. IT managers can restore the current behavior by setting the group policy "Disable All ActiveX" to "0", for example. Affected users, on the other hand, can either reset the Trust Center in the ActiveX settings to 'Ask before activating all controls with minimal restrictions'. Or setting the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\DisableAllActiveX to "0" has the same effect, Microsoft explains.
ActiveX has been considered inherently insecure since at least 2003. Heise head of security JĂĽrgen Schmidt wrote in a commentary at the time: "The security advisories from Symantec and Trend Micro show that there is no such thing as a "secure ActiveX control"." Since then, Microsoft has often tinkered with the ActiveX system, for example by enabling the deactivation of individual ActiveX modules in Internet Explorer. But in the end, ActiveX always proved to be a potential gateway for malware and cybercriminals.
(dmk)
