Microsoft has taken the latest step in its careful march towards making Office more secure, with the announcement that ActiveX will be off by default in the next version of Office.

When Office 2024 is released next month, ActiveX controls will be off by default in Microsoft Office client apps like Word, Excel, and PowerPoint. According to Microsoft:

Users will no longer be able to create or interact with ActiveX objects in Office documents when this change is implemented. Some existing ActiveX objects will still be visible as a static image, but it will not be possible to interact with them. In non-commercial SKUs of Office, users will see this notification when an ActiveX object is blocked by the new default behavior:

Although customers of the stand-alone, 2024 version of Microsoft’s productivity suite will enjoy the benefits of an ActiveX-free life from October, subscription customers—who pay for the software under the Microsoft 365 moniker—will have to wait until April 2025.

Making its subscription customers wait just a little longer for better security is emblematic of Microsoft’s cautious, phased approach to flensing its flagship software of insecure features. The company is trying to chart a course that balances its long-established, and admirable, desire to maintain backwards compatibility with the knowledge that Office’s deep bench of legacy tech gives cybercriminals a lot of ways to exploit users.

ActiveX is a software framework that allows developers to create software components in multiple languages. The components can be used to embed functionality into applications, or to add features to web pages or Office documents. For example, it can be used to enrich Word, Excel or PowerPoint documents with fillable forms, interactive charts and graphs, or to embed animations or video.

Allowing Microsoft Office documents to execute code made them very powerful, but it came at a significant cost to security. As Microsoft itself points out:

ActiveX controls can have unrestricted access to your computer and therefore can access your local file system and change your operating system registry settings. If a hacker uses an ActiveX control to take over your computer, the damage can be significant.

As much as it gave legitimate businesses the ability to embed useful code, it also gave cybercriminals another way to weaponise Office documents and use them to run malicious code or install backdoors, Trojans, and other nasties.

The move to disable ActiveX follows Microsoft’s phased disabling of macros downloaded from the internet and Adobe’s glacial retirement of Flash.

Removing insecure legacy technologies leaves cybercriminals with one less option in their attacks: There has been steady shift away from the routine exploitation of users’ software, like insecure browsers and plugins, towards tactics that rely on social engineering, like malvertising and fake browser updates.

Microsoft should be applauded for taking another old technology off the cybercriminal menu. We just wish they’d done it sooner.

As you’d expect, Microsoft is not yet ready to bury ActiveX completely, and if your organisation really needs it, the company advises that there are three ways to re-enable it:

• In the Trust Center Settings dialog, under ActiveX Settings, select the Prompt me before enabling all controls with minimal restrictions option.
• Set HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\DisableAllActiveX to 0 in the registry.
• Set the Disable All ActiveX group policy setting to 0.

Our advice? Leave it off if you can. Microsoft is the most cautious of corporate behemoths, and it would not have disabled ActiveX unless it saw it as a significant security risk.