Article Details

ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK?. Stopping users shooting themselves in the foot with last century's tech. Microsoft has twisted the knife into ActiveX once again, setting Microsoft 365 to disable all controls without so much as a prompt. The change replaces the previous default setting, "Prompt me before enabling all controls with minimal restrictions," which relied on the user understanding the implications before blithely giving permission. Since ActiveX controls reach deep into the system, allowing them to run with "minimal restrictions" can open a user's system up to malicious folk and social engineering attacks. According to Microsoft: "The new default setting is more secure because it blocks these controls entirely, reducing the risk of malware or unauthorized code execution." Getting ActiveX to work will require opening the Trust Center and re-enabling the prompt to allow controls. This assumes administrators have given users permission to access the ActiveX settings page. ActiveX sprung from other Microsoft attempts at component-based engineering such as Object Linking and Embedding (OLE) and the Component Object Model (COM). The technology debuted last century and Microsoft deprecated it years ago. It proved popular as a way to glue together Microsoft's productivity applications and creating corporate workflows, but it was also exploited to attack systems. Drop a malicious ActiveX control into a document, convince a user to open it, and hey presto! Potential remote code execution! Therefore, Microsoft is making it progressively more difficult for users to enable ActiveX. Today's change first turned up in Office 2024 LTSC and is now rolling out to Microsoft 365 subscribers. However, the need for backward compatibility means ActiveX is still hanging around. Its potential replacements – such as the Office Add-ins platform – can't fully match its capabilities while maintaining the same security posture. And many enterprises have decades of investment in code and processes built on ActiveX, making re-engineering a daunting task. That said, the default setting in Microsoft 365 marks what may be the final step in Microsoft's journey to remove the technology once and for all from its productivity suite. After all, the company took the once unthinkable step of deprecating VBScript in 2024, flagging it for removal in a future version of Windows. ActiveX support appears to be on the same long overdue path.