Microsoft Office has supported ActiveX for years as an option for extending and automating documents, but it has also been a significant security vulnerability. Microsoft is finally starting to turn off ActiveX in the Microsoft 365 apps, following a similar move in last year’s Office 2024 package.
Starting this month, the Windows versions of Microsoft Word, Excel, PowerPoint, and Visio in Microsoft 365 will disable all ActiveX content by default without showing a notification. The Mac and web-based versions of the Office apps never supported ActiveX content in the first place.
Microsoft said in a blog post, “The previous default setting, ‘Prompt me before enabling all controls with minimal restrictions,’ allowed you to enable potentially dangerous ActiveX controls, which could be exploited by attackers through social engineering or malicious files. The new default setting is more secure because it blocks these controls entirely, reducing the risk of malware or unauthorized code execution.”
Related
Remembering ActiveX Controls, the Web’s Biggest Mistake
Introduced in 1996, Internet Explorer’s ActiveX controls were a bad idea for the web. They caused serious security problems and helped cement the dominance of Internet Explorer on Windows, which led to the pre-Firefox stagnation of the web.
This change was already implemented in Microsoft Office 2024, but now it’s coming to the subscription-based Microsoft 365 apps as well. It’s available now in the Beta Channel for Version 2504 (Build 18730.20030) or later of the apps, and the change should roll out to everyone on Windows soon.
Importantly, ActiveX is not being completely removed from the Office apps. Some organizations might still enable the feature, and personal accounts can toggle by navigating to File > Options > Trust Center > Trust Center Settings > ActiveX Settings > Prompt me before enabling all controls with minimal restrictions.
Bye Bye, ActiveX
Microsoft released the first version of ActiveX in 1996, allowing websites in Internet Explorer and documents in Microsoft Office to embed complex code and interactive content. For example, ActiveX controls be used to create buttons and checklists in Office documents, which could modify the document or perform external actions when clicked.
ActiveX did have some legitimate uses, but it is far more popular for phishing and malware. There have been many security exploits in ActiveX that allowed a seemingly-safe Word or PowerPoint document to modify Windows settings and files. It was also a frequent security and privacy risk in Internet Explorer, and it was never ported to its replacement, Microsoft Edge.
Related
8 Microsoft Word Add-Ins to Boost Your Productivity
Microsoft Word is a versatile tool for writing, editing, and formatting documents. While it’s powerful on its own, you can boost your productivity even further by installing add-ins that enhance its functionality. Here are the best ones.
Microsoft eventually updated the Office apps to not run ActiveX content automatically, but some malicious files can successfully trick people into clicking the ‘Enable Content’ button. Microsoft removing that option by default will help reduce those attacks, while still allowing ActiveX content to run if absolutely necessary.
This change seems like the last step before removing ActiveX from Office apps entirely, but it’s not clear when (or if) that will happen. Some documents only work properly with ActiveX, and Microsoft’s newer Add-ins platform isn’t a complete replacement. This is about as secure as ActiveX can get.
Microsoft started automatically blocking Visual Basic for Applications (VBA) macros in Office documents back in 2022, which were also frequently used for malware distribution. That change was rolled out across all editions of Office apps that were supported at the time, including Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.
Source: Microsoft 365 Insider Blog
