Microsoft will disable ActiveX controls by default in the Office suite starting in October, with the release of Office 2024. The phasing out of this software framework is likely related to numerous security vulnerabilities that have been exploited in the past.
ActiveX has been used for a long time since 1996 to embed interactive objects, such as buttons or forms, in Office documents. It was previously used to load multimedia content, such as videos, in Internet Explorer. However, Microsoft's latest Edge browser does not support it.
If ActiveX is disabled, Office users can no longer interact with or create new ActiveX objects, but some older ActiveX objects will still be visible as static images.
“Starting with the new Office 2024 release, the default setting for ActiveX objects will change from 'Ask me before enabling all controls with minimal restrictions' to 'Disable all controls without notification,'” reads a September 6 post in the Microsoft 365 Message Center.
“This change applies to Win32 desktop versions of Word, Excel, PowerPoint, and Visio.”
SEE: What is ShrinkLocker? New ransomware attacks Microsoft's BitLocker encryption feature
The changes will occur in stages
The update added that users of non-retail versions of Office, such as Office Home and Student, will see a notification when they try to interact with an ActiveX object that says, “The new default setting is equivalent to the existing DisableAllActiveX group policy setting.”
The change will be rolled out in stages. Office 2024 desktop apps for Win32 will have ActiveX controls disabled by default immediately upon release. Microsoft 365 apps will follow suit in April 2025.
Users who still require the use of ActiveX in Office documents will need to manually enable the feature through configuration settings in the Trust Center, registry edits, or group policy settings.
How to enable ActiveX
To enable ActiveX controls from the default disabled setting, do one of the following:
- In an Office application, go to File → Options → Trust Center → Trust Center Settings → ActiveX Settings. Select the “Ask me before enabling all controls with minimal restrictions” option.
- In the registry or Group Policy Management tool, navigate to HKEY_CURRENT_USERSoftwareMicrosoftOfficeCommonSecurity. Set “DisableAllActiveX” or “Disable all ActiveX” to “o”.
ActiveX has been plagued by vulnerabilities and cyber attacks
Over the years, ActiveX has been used in attacks ranging from data theft to malware deployment. For example, in 2018, security researchers discovered that the North Korean group Andariel was using multiple ActiveX vulnerabilities to infect South Korean websites, and had been doing so for several years.
TrickBot, a well-known malware strain, has also been linked to ActiveX-based attacks. In 2020, hackers were found to be using the Remote Desktop ActiveX control to automatically run a malware downloader embedded in a Word document. The document is then delivered to the victim via a phishing email.
Similarly, in 2021, hackers were found using ActiveX in Office 365 documents to install Cobalt Strike beacons and establish persistent control.
Microsoft is reducing its attack surface by disabling Office features
In recent years, Microsoft has been on a warpath against some of the legacy Office features that offer a wealth of entry points for malicious actors. It started when the company expanded support for its antimalware scanning interface to Office 365 apps in 2018 to stop macro-based threats.
SEE: The 6 best free alternatives to Microsoft Word
In 2021, Microsoft again expanded AMSI defenses to include Excel 4.0 (XLM) scanning, which detects malicious macros and prevents them from running. The following year, it also disabled XLM by default in Excel and blocked VBA macros in files downloaded from the web. In 2023, XLL add-ins from untrusted locations were blocked by default, as malicious actors were using them as part of phishing attacks.
