ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK?
- Reference: 1744719908
- News link: https://www.theregister.co.uk/2025/04/15/activex_microsoft_365/
- Source link:
The change replaces the previous default setting, "Prompt me before enabling all controls with minimal restrictions," which relied on the user understanding the implications before blithely giving permission. Since ActiveX controls reach deep into the system, allowing them to run with "minimal restrictions" can open a user's system up to malicious folk and social engineering attacks.
[1]According to Microsoft : "The new default setting is more secure because it blocks these controls entirely, reducing the risk of malware or unauthorized code execution."
[2]
Getting ActiveX to work will require opening the Trust Center and re-enabling the prompt to allow controls. This assumes administrators have given users permission to access the ActiveX settings page.
[3]
[4]
ActiveX sprung from other Microsoft attempts at component-based engineering such as Object Linking and Embedding (OLE) and the Component Object Model (COM). The technology debuted last century and Microsoft deprecated it years ago.
It proved popular as a way to glue together Microsoft's productivity applications and creating corporate workflows, but it was also exploited to attack systems. [5]Drop a malicious ActiveX control into a document , convince a user to open it, and hey presto! Potential remote code execution!
[6]Windows Recovery Environment update fails successfully, says Microsoft
[7]Windows 11 stops freaking out over wallpaper customization
[8]Windows 2000 Server named peak Microsoft. Readers say it's all been downhill since Clippy
[9]Microsoft resets 'days since last Windows 11 problem' counter to 0
Therefore, Microsoft is making it progressively more difficult for users to enable ActiveX. Today's change [10]first turned up in Office 2024 LTSC and is now rolling out to Microsoft 365 subscribers.
However, the need for backward compatibility means ActiveX is still hanging around. Its potential replacements – such as the [11]Office Add-ins platform – can't fully match its capabilities while maintaining the same security posture. And many enterprises have decades of investment in code and processes built on ActiveX, making re-engineering a daunting task.
[12]
That said, the default setting in Microsoft 365 marks what may be the final step in Microsoft's journey to remove the technology once and for all from its productivity suite. After all, the company took the once unthinkable step of [13]deprecating VBScript in 2024 , flagging it for removal in a future version of Windows. ActiveX support appears to be on the same long overdue path. ®
Get our [14]Tech Resources
[1] https://techcommunity.microsoft.com/blog/microsoft365insiderblog/activex-disabled-by-default-in-microsoft-365/4403157
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z_6CrDQbt4g4drLco6_wJQAAAQw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_6CrDQbt4g4drLco6_wJQAAAQw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_6CrDQbt4g4drLco6_wJQAAAQw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2021/09/07/microsoft_office_zero_day/
[6] https://www.theregister.com/2025/04/15/winre_update_error/
[7] https://www.theregister.com/2025/04/14/windows_11_24h2_hold/
[8] https://www.theregister.com/2025/04/11/windows_2000_best_microsoft/
[9] https://www.theregister.com/2025/04/09/microsoft_resets_the_days_since/
[10] https://www.theregister.com/2024/09/18/microsoft_office_ltsc_2024/
[11] https://learn.microsoft.com/en-us/office/dev/add-ins/overview/office-add-ins
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_6CrDQbt4g4drLco6_wJQAAAQw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2024/05/23/windows_11_24h2_vbscript/
[14] https://whitepapers.theregister.com/
ActiveX?
That's still a thing? Next you'll be telling me some important site still relies upon Flash...
Re: ActiveX?
Or Microsoft Silverlight...
Laughable security
I recall developing an ActiveX control that was basically a drop-in component encapsulating the NNTP reader component of Outlook Express way back when. If my code implemented particular interfaces relating to security then my ActiveX control would basically be signalling itself as a safe and trustworthy control! Of course, I'm talking about unsigned ActiveX controls within an enterprise environment so there's a certain level of trust assumed but no-one checked what my code did and the NNTP reader control was just rolled out to anyone browsing a particular page on the company's intranet.
Embrace, Extend, Extinguish
M$ forced needless Active Cra-X on us for years and now, NOW says, oops our bad?
Triple E strikes again.
Microsoft... acknowledges shitty design?
Microsoft is SO GOOD at reinventing a thing, poorly, with long term security issues. I don't know that professional programmers with that goal could make those kinds of problems on purpose.
It's good to see that they're capable, finally, of admitting when something is shitty. For how many decades did people have to endure macro viruses in documents JUST IN CASE someone might use macros and wouldn't want others to have to answer a prompt or something.
well
outlook has been telling me for over a year that the teams plugin has been disabled as it's a security risk
so I'm presuming this might have something to do with it?