September 13, 2016 9:00 am

Blocking out-of-date Flash ActiveX controls on IE11

Update (October 11, 2016): As of today, out-of-date Flash ActiveX control blocking for IE11 is live. The blocking period will continue till November 10, 2016. As you update, remember to leave the “Install updates automatically when available” recommended setting enabled! This will allow Adobe Flash Player to update automatically when new security updates are available, so you never have to worry about being out-of-date again. For more details, please see the rest of the post below.

Note: Customers running Windows Server 2012 R2, Windows 8.1, and Windows 10 are not impacted by this change. By default, Windows Update will automatically install important Flash updates as they become available for Internet Explorer and Microsoft Edge on those systems.

Starting on October 11, 2016, we’re expanding the out-of-date ActiveX control blocking feature to include outdated versions of Adobe Flash Player. This update notifies you when a Web page tries to load a Flash ActiveX control older than (but not including):

  • Adobe Flash Player version 21.0.0.198
  • Adobe Flash Player Extended Support Release version 18.0.0.241

You can continue to view the complete list of out-of-date ActiveX controls being blocked by this feature here.

Supported configurations and scope of out-of-date Flash ActiveX control blocking

Unlike out-of-date Java and Silverlight blocking, the following caveats are additionally applicable to out-of-date Flash ActiveX control blocking.

Supported configurations

Out-of-date Flash ActiveX control blocking only applies to Internet Explorer 11 on Windows 7 SP1 or Windows Server 2008 R2 SP1.

Scope

First, with out-of-date Flash ActiveX control blocking, Internet Explorer will only warn you once per tab process. All subsequent out-of-date Flash ActiveX controls will be allowed.

Second, users who are not members of the Local Administrators group on the PC will not see any out-of-date Flash ActiveX control blocks.

Security note:

If you would like out-of-date Flash blocking to apply to all users, including non-members of the Administrators group, run the following command from a command prompt:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v NonAdminSuppressEnabled /t REG_DWORD /d 0 /f

Finally, the term of out-of-date Flash ActiveX control blocking will end on November 10, 2016.

Enterprise testing for out-of-date Flash ActiveX control blocking

Remember, out-of-date ActiveX controls aren’t blocked in the Local Intranet Zone or the Trusted Sites Zone, so your intranet sites and trusted line-of-business apps should continue to use ActiveX controls without any disruption.

If you want to see what happens when a user goes to a Web page with an out-of-date Flash ActiveX control after October 11, 2016, you can run this test:

  • On a test computer, install the most recent cumulative update for Internet Explorer.
  • Open a command prompt and run this command to stop downloading updated versions of the versionlist.xml file:
    reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /fImportant: After you’re done testing, delete this registry key. If you don’t, this computer will stop receiving the updated VersionList.xml file with all of the out-of-date ActiveX controls. Because of this, we don’t recommend setting this registry key in your production environment.
  • Copy the test versionlist-TEST.xml file from here to %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\
  • Rename this file to versionlist.xml. Make sure you agree to overwrite any existing file.Important: After you’re done testing, replace this file with its production version from here. We don’t recommend manually changing the versionlist.xml file in your production environment.
  • Restart Internet Explorer.

You’ll now get an out-of-date ActiveX control blocking notice when a Web site tries to load an outdated Flash ActiveX control.

Screen capture displaying an error: "Flash Player was blocked because it is out of date and needs to be updated" with "Update" and "Run this time" buttons.

If you need more time to minimize your reliance on outdated Flash ActiveX controls, see the Out-of-date ActiveX control blocking on managed devices section of the Out-of-date ActiveX control blocking topic.

― Jasika Bawa, Program Manager, Enterprise & Security

Updated October 11, 2016 11:39 am

Join the conversation

  1. Good to see the efforts, you really should extend this to ALL Flash controls. 😛 Based on how many security “updates” I’ve seen in my Windows 10 log, that thing is better disabled than not.

    • Hi Malte – The October release (yesterday’s Windows Update package) should have this fixed. Let me know if you continue to see issues.