Users who are unprepared for changes that Microsoft has made to the way its Internet Explorer browser handles ActiveX can get a reprieve, the company said yesterday.
The software vendor's latest round of security patches, released on Tuesday, alter the way that IE processes dynamic content such as QuickTime or Java. The changes, made in response to a 2003 patent lawsuit loss to the University of California and Eolas Technologies, have forced developers to reprogram parts of their web applications.
This has caused problems, in particular for users of commercial software that is accessed via Internet Explorer. Some versions of Oracle's web-based Siebel client, for example, were rendered inoperable by the changes. Most vendors have fixed their server software so that there is little disruption, but there may still be some applications that have problems. A list of such applications can be found here.
Microsoft has gradually been rolling these changes into various IE updates for several months now. Until yesterday, users who weren't prepared could download a "compatibility patch" that would undo the ActiveX changes, but that compatibility patch is rendered inoperable by the latest IE security update.
However, Microsoft is providing some users with a reprieve said Stephen Toulouse, a security program manager with Microsoft's Security Response Center.
"We're urging those customers to contact their Microsoft technical account mangers so we can look at what solutions they can provide," said Toulouse. Microsoft can help in deploying the newer version of the web application or it can extend the life of the compatibility patch, he said.
As with the earlier compatibility software, this patch is being delivered as a custom hotfix, which means it must be installed manually, said Jeff Centimano, an IT consultant based in Kansas City, Missouri.
It is not being made public, but will be delivered to select customers who contact Microsoft, Toulouse said.
Although Microsoft has given users and software vendors months to prepare for these ActiveX changes, it has not been enough time for everyone Centimano said. Some users have ended up blocking the latest IE security updates in order to keep their web applications running, he added, a move that puts them at risk now that exploits have been published for the latest IE flaws.
"It would have been better if we'd had more time," Centimano said. "But with IT people, unless you light a fire under them, they're not going to take a hard look at their applications."