Microsoft finally working to resolve known ActiveX vulnerabilities in Office Suite: Fixes appear limited to 2024 version

Duane Mitchell • September 11, 2024

 

Microsoft is making significant changes to its Office 2024 suite. To be released in October 2024, ActiveX controls will be disabled by default. This move aims to enhance security and reduce potential vulnerabilities that have been exploited in the past. Unfortunately these security changes will be applied by default on only the newest 2024 version of the product, potentially leaving users of older versions of the product vulnerable to these well-known, and frequently exploited, vulnerabilities in the Microsoft Office product line.

 

ActiveX has been a part of Office since 1996, allowing for interactive elements within documents. However, its use has declined over time due to security concerns. The upcoming change will affect Word, Excel, PowerPoint, and Visio in their desktop versions. While users won’t be able to interact with or create new ActiveX objects, some existing ones will remain visible as static images.

Key Takeaways

  • Microsoft Office 2024 will disable ActiveX controls by default for improved security.
  • The change affects desktop versions of Word, Excel, PowerPoint, and Visio.
  • Legacy ActiveX objects will remain visible as static images in documents.

Gradual Implementation of Changes

The transition away from ActiveX controls in Microsoft Office will happen in phases. Office 2024 for Win32 desktop programs will be the first to disable these controls by default when launched. Microsoft 365 apps will follow this change in April 2025.

For users of non-commercial Office versions like Home & Student, a message will appear when trying to use an ActiveX object. This notification will explain the new default setting.

People who still need ActiveX in their Office files have options:

  1. Adjust Trust Center settings
  2. Edit the registry
  3. Change group policy settings

These steps allow manual activation of the feature. The shift affects key Office programs:

  • Word
  • Excel
  • PowerPoint
  • Visio

This update impacts both standalone Office and Microsoft 365 Apps for Enterprise. It’s a significant change in how Office handles certain interactive elements in documents.

Reactivating Inactive Components

To bring dormant elements back to life in Office applications, users have two main options. The first involves tweaking settings within the software itself. Open any Office program, click on “File,” then “Options,” and find the “Trust Center” tab. From there, enter “Trust Center Settings” and locate “ActiveX Settings.” Pick the choice that prompts before enabling controls.

The second method uses system-level changes. Edit the Windows registry or use Group Policy tools to find the Office security settings. Look for the option to disable all inactive components and set its value to zero. This tells Office to allow these elements to function again.

ActiveX: A Magnet for Security Threats

 

ActiveX has become a prime target for cybercriminals over time. This technology has been used in various malicious campaigns, putting users at risk. Hackers have found ways to exploit ActiveX vulnerabilities to steal data and spread malware.

 

Some notable incidents include:

  • A hacking group targeted South Korean websites using ActiveX flaws
  • The TrickBot malware used ActiveX to download malicious code via Word documents
  • Attackers leveraged ActiveX in Office 365 to install Cobalt Strike tools

These examples show how ActiveX can be a weak point in system security. Cybercriminals often use phishing emails to deliver infected files. Once opened, these files can trigger ActiveX controls to run harmful code.

The ongoing security issues with ActiveX highlight the need for caution when dealing with this technology. Users and organizations should be aware of the risks and take steps to protect themselves from potential ActiveX-based attacks.

Microsoft tightens Office security by disabling legacy features

Microsoft is taking steps to improve Office security. The company is turning off old features that hackers often use to attack computers. This effort began in 2018 when Microsoft added new scanning tools to Office 365 apps.

In 2021, Microsoft made Excel safer by scanning for harmful macros. The next year, they turned off macros in Excel by default. They also stopped macros from running in files from the internet.

Here are some key security updates:

  • 2018: New scanning tools added to Office 365
  • 2021: Improved Excel macro scanning
  • 2022: Macros disabled by default in Excel
  • 2022: Web-downloaded file macros blocked
  • 2023: Untrusted XLL add-ins blocked

 

These changes aim to reduce ways attackers can get into systems . Microsoft Office 2024 is expected to continue this trend with more security-focused updates. Users can look forward to a safer Office experience with these ongoing improvements.

 

Common Questions About Office ActiveX Security

How to Get the Latest Office Version with Better ActiveX Protection?

To get the newest Microsoft Office with improved ActiveX security:

  1. Check your current version
  2. Back up important files
  3. Visit the official Microsoft website
  4. Download Office 2024
  5. Run the installer
  6. Follow on-screen instructions
  7. Activate your new license

Remember to keep automatic updates on for future security patches.

Protecting Against Recent Office Remote Code Flaws

To guard against newly discovered Office remote code execution vulnerabilities:

  • Install all security updates promptly
  • Use caution when opening email attachments
  • Enable Protected View for Office files
  • Keep antivirus software up-to-date
  • Be wary of macros in documents from unknown sources

Risks for Users of Older Office Versions

Users of Office 2016 and earlier face higher risks from ActiveX vulnerabilities:

  • More exposure to potential attacks
  • Lack of latest security features
  • Fewer updates and patches available
  • Increased chance of compatibility issues
  • Higher likelihood of performance problems

Upgrading to a newer version is strongly recommended for better security.

Outlook Versions Affected by CVE-2024-21413

The CVE-2024-21413 vulnerability impacts several Outlook versions. Affected users should:

  • Update to the latest Outlook version if possible
  • Install security patches as soon as they’re available
  • Use caution when opening emails from unknown senders
  • Disable automatic loading of remote content
  • Consider using alternative email clients temporarily

Key Points About Recent Office C2R Security Updates

  • Fixes for critical security flaws
  • Performance improvements
  • Enhanced protection against phishing attacks
  • Updates to built-in security features
  • Patches for known ActiveX vulnerabilities

Users should ensure automatic updates are enabled to receive these improvements.

Keeping Excel Up-to-Date with Security Patches

To ensure Excel has the latest security patches:

  1. Open Excel
  2. Go to File > Account
  3. Click “Update Options”
  4. Select “Update Now”
  5. Restart Excel after updates install

Enable automatic updates for consistent protection. Check for updates regularly if using manual mode.

Building better solutions for better business®

By Duane Mitchell March 8, 2025
The World of AI Ethics and Decision-Making Artificial intelligence has rapidly evolved from theoretical concepts to practical applications that impact our daily lives. Large language models (LLMs) like ChatGPT and other generative AI systems represent some of the most visible advancements in this field. These systems demonstrate impressive capabilities but also raise profound questions about […]
By Duane Mitchell February 7, 2025
Current Privacy Battle The UK government ordered Apple to create a global encryption backdoor that would give access to all users’ iCloud data worldwide. This marks a major shift in the ongoing debate between tech companies and governments over encryption and privacy rights. British officials demanded access through a technical capability notice under the Investigatory […]
By Duane Mitchell January 29, 2025
Cloud security is a critical concern for modern businesses. As more companies move their operations to the cloud, protecting sensitive data becomes increasingly important. Cloud security involves the tools, processes, and practices used to safeguard data, applications, and infrastructure in cloud computing systems. Business owners need to understand the basics of cloud security to protect […]
Share by: