- Microsoft 365 will start blocking ActiveX by default
- The “powerful” tool put users at risk of remote code execution
- Users won’t be able to create or interact with ActiveX objects
Microsoft has revealed ActiveX will be disabled by default in Microsoft 365 starting this month, citing security as the company’s key deciding factor.
In a blog post, Microsoft Office Security Product Manager Zaeem Patel acknowledged while ActiveX, which enables rich interactions within Microsoft 365 applications, is a “powerful technology,” however it’s also one that comes with associated security risks thanks to the amount of access it has to a user’s system.
From April 2025, Microsoft will disable all controls without notification by default across Microsoft Word, Microsoft Excel, Microsoft PowerPoint and Microsoft Visio.
Microsoft starts blocking ActiveX by default this month
Patel criticized previous default settings for putting users at risk of being exploited by attackers through social engineering or malicious files.
A successful ActiveX attack could grant malicious actors access to remote code execution, putting a victim’s system and the entire organization’s network at risk.
Enabling ActiveX now requires manual action through the Trust Center, and that’s assuming system admin permissions allow access to this. Users without access will see the option greyed out, instead.
“When ActiveX is disabled, you will no longer be able to create or interact with ActiveX objects in Microsoft 365 files,” Patel confirmed.
Described as “small building blocks that create applications that work over the Internet through Web browsers,” Microsoft explains in a separate support page how ActiveX controls can be used for command buttons, list boxes and dialog boxes.
“Some existing ActiveX objects will still be visible as a static image, but it will not be possible to interact with them,” Patel added.
Beta Channel users are already being affected with the change, with Current Channel (Preview) users running Version 2504 (Build 18730.20030) or later also experiencing the change this month.
In an apparent acknowledgement that some users may not be happy about the change and the fact that there’s no real direct replacement, Microsoft is offering to collect feedback via File > Feedback in any Microsoft 365 app.
Leave a comment