Microsoft postpones IE’s Java blocking after IT complains

Microsoft has postponed the implementation of Java blocking within Internet Explorer (IE), saying it will now give customers a little less than another month to deal with the unexpected change.

In an Aug. 10 addendum to a blog published four days earlier, Microsoft notified customers running Windows 7 and Windows 8 that it was pushing back the switch-on date for blocking outdated ActiveX controls.

“Based on customer feedback, we have decided to wait … before blocking any out-of-date ActiveX controls,” the company said. “The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9.”

The latter date is next month’s “Patch Tuesday,” the regularly-scheduled release of security updates the firm has used since 2003.

Initially, Microsoft had said that the feature — which debuted in yesterday’s update to IE8, IE9, IE10 and IE11 for Windows 7, and to IE10 and IE11 for Windows 8 and 8.1 — would immediately begin blocking old versions of Oracle’s Java ActiveX control.

Microsoft characterized the blocking as a security improvement — in truth, rival browsers have had a similar or even more aggressive tool for years — and said it would add other ActiveX controls to the banned list over time.

When the tool is turned on, IE will show a warning if it tries to call an obsolete Java ActiveX control: for Java 8, any version except for mid-July’s Java SE 8 Update 11. Users will be able to choose between ignoring the alert or updating the Java control. IT administrators can manage the notifications on workers’ PCs using Group Policy settings, including one that turns off the warning altogether and another that prevents employee overrides.

The rationale for deferring the blocking — “customer feedback” — is software vendor-speak for “customer complaints.”

The one-month delay did seem to be in response to IT complaints of a too-fast pace: Microsoft only made the Group Policy template available last weekend, and first published a how-to for administrators and IT staff today.

And among the scores of comments left on last week’s blog, some questioned Microsoft’s original timetable.

“How about some notice before doing it!!! The idea is good, but documentation released [Aug.] 7 and implementation of security update on Aug. 12? What person made that stupid decision?” asked a reader identified as “UK ENTERPRISE” last week.

Other organizations’ administrators bemoaned the feature in more general terms. “If general Web surfing generates calls to the Help Desk from angry users saying they want to upgrade Java, then that is a big problem,” added “Bruce S” on Aug. 7.

And some had unanswered questions. “Will this be enabled by another update released on 9/9 (Patch Tuesday) or will the patch released on 8/12 include date-triggered functionality?” asked “Still Unclear.”

Microsoft rolled out an outdated-ActiveX blocking tool in IE8 through IE11 on Tuesday, but now won’t flip the activation switch until Sept. 9. (Image: Microsoft.)

Microsoft included the ActiveX blocking feature in yesterday’s browser security update — identified as MS14-051 — so unless customers want to forego the 26 IE patches in that bulletin, they must live with the change.

The company has published more information about the blocking on its TechNet website.

Read more about security in Computerworld’s Security Topic Center.