Microsoft Enhances Security by Disabling ActiveX in Office 365 and Office 2024

Overview of the ActiveX Disablement in Microsoft Office

Microsoft has announced a significant security update affecting Windows versions of Microsoft 365 and Office 2024. ActiveX controls, a feature introduced in 1996, will be disabled later this month to mitigate potential threats from malware and unauthorized code execution.

Impact on Office Applications

With this update, ActiveX will no longer function in popular applications such as Word, Excel, PowerPoint, and Visio. Users will encounter notifications for blocked ActiveX content in documents, enhancing the security posture against cyber threats.

Notification Features

Documents containing ActiveX controls will display a prominent notification, guiding users to additional information through a “Learn More” button. This proactive approach alerts users about the security change and explains the implications.

Guidance for Office Users

Microsoft has issued advice warning users against opening unexpected file attachments or altering ActiveX settings prompted by unsolicited sources. Comprehensive guidance is available through their support document.

Enabling ActiveX Controls

1. Go to File, then select Options.
2. Click on Trust Center, followed by the Trust Center Settings button.
3. Choose ActiveX Settings and select “Prompt me before enabling all controls with minimal restrictions“.
4. Click OK to save and apply your settings.

Important: For optimal security, Microsoft strongly advises keeping ActiveX controls disabled unless necessary.

Security and Legacy Technology

The initiative to disable ActiveX by default is part of Microsoft’s broader strategy to phase out outdated technologies that pose security risks. This follows recent actions including enhanced protections against VBA and XLM macros, and the deprecation of VBScript.

Historical Threats and Security Enhancements

ActiveX has been exploited in various cyberattacks involving state-sponsored groups and financial criminals using malware like TrickBot and Cobalt Strike beacons. Microsoft’s persistent efforts in cybersecurity aim to safeguard enterprise networks from such vulnerabilities.

Conclusion

This development marks a significant step in Microsoft’s ongoing effort to curb the misuse of legacy features in its software products, enhancing overall user security in Microsoft Office environments.