Commencing with the release of Office 2024 in October, Microsoft will implement the deactivation of ActiveX controls as the default setting in the Office suite. This move is likely a response to the numerous security vulnerabilities that have been exploited in the past.
ActiveX, which dates back to 1996, has long been employed for embedding interactive elements like buttons or forms within Office documents. Initially utilized to load multimedia content such as videos in Internet Explorer, ActiveX is no longer supported in Microsoft’s latest Edge browser.
Following the disabling of ActiveX, Office users will lose the ability to interact with ActiveX objects or create new ones. However, certain legacy ActiveX objects will persist as static images.
According to an entry in the Microsoft 365 Message Center dated September 6, the default configuration setting for ActiveX objects in the new Office 2024 will change from ‘Prompt me before enabling all controls with minimal restrictions’ to ‘Disable all controls without notification.’ This alteration applies to the Win32 desktop versions of Word, Excel, PowerPoint, and Visio.
EXPLORE: ShrinkLocker: A New Ransomware Targeting Microsoft BitLocker Encryption Feature
The Transition Will Take Place in Incremental Phases
Users of non-commercial versions of Office, like Office Home & Student, will receive a notification when attempting to interact with an ActiveX object. The notification will read: “The new default setting equates to the existing DisableAllActiveX group policy setting.”
The rollout of this change will be conducted in stages. Immediately upon launch, Office 2024 for Win32 desktop applications will have ActiveX controls deactivated by default, followed by Microsoft 365 apps in April 2025.
Users in need of utilizing ActiveX in Office documents will have to proactively enable the feature through settings adjustments in the Trust Center, registry modifications, or group policy configurations.
Enabling ActiveX: A How-To Guide
To switch ActiveX controls from the default disabled state, you can:
- Within an Office app, go to File → Options → Trust Center → Trust Center Settings → ActiveX Settings. Choose the “Prompt me before enabling all controls with minimal restrictions” option.
- In the registry or Group Policy Management tool, navigate to HKEY_CURRENT_USERSoftwareMicrosoftOfficeCommonSecurity. Set “DisableAllActiveX” or “Disable All ActiveX” to “o.”
ActiveX: A History of Security Challenges
Over the years, ActiveX has been exploited in various cyberattacks involving data breaches and malware dispersal. For example, in 2018, security experts discovered that the North Korean Andariel Group had been utilizing several ActiveX vulnerabilities to infect South Korean websites, a trend that persisted over multiple years.
The notorious malware strain TrickBot has also been associated with ActiveX-based attacks. In 2020, hackers were observed utilizing the remote desktop ActiveX control to execute a malware downloader embedded in a Word document automatically, which was distributed to the victim through a phishing email.
Likewise, in 2021, hackers were detected leveraging ActiveX in Office 365 documents to deploy Cobalt Strike beacons for establishing persistent control.
Microsoft’s Strategy to Reduce Attack Vectors by Disabling Office Functionalities
In recent times, Microsoft has taken proactive measures against legacy Office features that serve as potential entry points for malicious actors. The company initially enhanced support for its Antimalware Scan Interface in Office 365 apps in 2018 to combat macro-based threats.
In 2021, Microsoft extended the AMSI protections by incorporating Excel 4.0 (XLM) scanning to identify malicious macros and prevent their execution. Subsequently, they disabled XLM by default in Excel and banned VBA macros in files obtained from the internet. In 2023, default blocks were placed on XLL add-ins from untrustworthy sources, as threat actors were integrating them into phishing schemes.
About Author
