Microsoft 365 Will Turn Off ActiveX, Because Hackers Keep Using It

Microsoft Office has supported ActiveX for years arsenic an enactment for extending and automating documents, but it has besides been a important information vulnerability. Microsoft is yet starting to crook disconnected ActiveX successful the Microsoft 365 apps, pursuing a akin determination successful past year’s Office 2024 package.

Starting this month, the Windows versions of Microsoft Word, Excel, PowerPoint, and Visio successful Microsoft 365 volition disable each ActiveX contented by default without showing a notification. The Mac and web-based versions of the Office apps ne'er supported ActiveX contented successful the archetypal place.

Microsoft said successful a blog post, “The erstwhile default setting, ‘Prompt maine earlier enabling each controls with minimal restrictions,’ allowed you to alteration perchance unsafe ActiveX controls, which could beryllium exploited by attackers done societal engineering oregon malicious files. The caller default mounting is much unafraid due to the fact that it blocks these controls entirely, reducing the hazard of malware oregon unauthorized codification execution.”

This alteration was already implemented successful Microsoft Office 2024, but present it’s coming to the subscription-based Microsoft 365 apps arsenic well. It’s disposable present successful the Beta Channel for Version 2504 (Build 18730.20030) oregon aboriginal of the apps, and the alteration should rotation retired to everyone connected Windows soon.

Importantly, ActiveX is not being wholly removed from the Office apps. Some organizations mightiness inactive alteration the feature, and idiosyncratic accounts tin toggle by navigating to File > Options > Trust Center > Trust Center Settings > ActiveX Settings > Prompt maine earlier enabling each controls with minimal restrictions.

Bye Bye, ActiveX

Microsoft released the archetypal mentation of ActiveX successful 1996, allowing websites successful Internet Explorer and documents successful Microsoft Office to embed analyzable codification and interactive content. For example, ActiveX controls beryllium utilized to make buttons and checklists successful Office documents, which could modify the papers oregon execute outer actions erstwhile clicked.

ActiveX did person immoderate morganatic uses, but it is acold much fashionable for phishing and malware. There person been many information exploits successful ActiveX that allowed a seemingly-safe Word oregon PowerPoint papers to modify Windows settings and files. It was besides a predominant information and privateness hazard successful Internet Explorer, and it was ne'er ported to its replacement, Microsoft Edge.

Microsoft yet updated the Office apps to not tally ActiveX contented automatically, but immoderate malicious files tin successfully trick radical into clicking the ‘Enable Content’ button. Microsoft removing that enactment by default volition assistance trim those attacks, portion inactive allowing ActiveX contented to tally if perfectly necessary.

This alteration seems similar the past measurement earlier removing ActiveX from Office apps entirely, but it’s not wide erstwhile (or if) that volition happen. Some documents lone enactment decently with ActiveX, and Microsoft’s newer Add-ins platform isn’t a implicit replacement. This is astir arsenic unafraid arsenic ActiveX tin get.

Microsoft started automatically blocking Visual Basic for Applications (VBA) macros successful Office documents back successful 2022, which were besides often utilized for malware distribution. That alteration was rolled retired crossed each editions of Office apps that were supported astatine the time, including Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.

Source: Microsoft 365 Insider Blog