Microsoft is trying to kill ActiveX controls in Office for good


In context: Microsoft introduced ActiveX in 1996 during Windows 95 days. So, in technological terms, it’s ancient. Redmond designed it as a developer framework, allowing users to embed interactive objects into Windows applications and Internet Explorer. However, ActiveX eventually became a security threat that the tech giant’s engineers are understandably trying to remove.

Despite being nearly 30 years old, Microsoft still supports ActiveX in Windows. Microsoft deprecated the technology long ago, but some of the most popular Win32 applications use it. Cybercriminals also love ActiveX, so Microsoft is taking measures to reduce the attack surface provided by the controversial framework.

The Microsoft 365 Admin Center recently published a warning that developers would soon disable ActiveX controls in Office applications by default. The change will affect Word, Excel, PowerPoint, and Visio. The target date for Office 2024 is October 2024, while Microsoft 365 apps have until April 2025.

Microsoft plans to release the next stand-alone upgrade for Office 2024 this year. The suite’s default configuration setting for ActiveX objects will now change from “Prompt me before enabling all controls with minimal restrictions” to “Disable all controls without notification.”

Once the changes occur, users can no longer create or interact with ActiveX objects in Office documents. Some existing ActiveX controls will be visible as static images, but no further action will be possible.

There will be no visible indications about the sudden death of ActiveX controls except for non-commercial Office suite SKUs. The new default setting is equivalent to the DisableAllActiveX setting in the Group Policy snap-in tool. However, resourceful users can re-enable ActiveX support in Office using the Group Policy editor, the Registry, and individual Office applications via the Microsoft Office Trust Center.

Widely used in Internet Explorer, ActiveX has long become a risky relic of a bygone technology era. Programmers and companies would be better off replacing and abandoning the framework altogether. Bad actors have abused Windows users by exploiting the many significant security threats ActiveX has presented over the years, including running compiled code within Office documents to install a malware payload targeting corporate networks with relative ease.

Related Posts