Welcome to Exchange Team Blog Sign in | Join | Help
Search
BlogsVideosPhotosFiles

Syndication

This Blog

Post Categories

Archives

Recent change of Internet Explorer 6 behavior in handling ActiveX controls and its effects on OWA

Summary

A cumulative security update has been recently released for Internet Explorer 6 for Microsoft Windows XP Service Pack 2 and Microsoft Windows Server 2003 Service Pack 1. This update changes the way in which Internet Explorer handles some Web pages that use ActiveX controls and Java applets. As we have seen some questions around this, we wanted to cover them here.

The below document describes the changes that this Update introduces, how it affects Outlook Web Access and how we can mitigate the effects of this change.

What has changed and why

A Cumulative security update for Internet Explorer (MS06-013) introduced a change in the way IE handles Web pages that use ActiveX controls and Java applets.

After you install this update, you cannot interact with ActiveX controls from certain Web pages until these controls are enabled. This change was deemed necessary for security reasons to avoid the remote code execution. Outlook Web Access is affected by this change as follows:

Symptoms related to Exchange

We see red X in the body of Outlook Web Access (OWA) email, when we use OWA with IE 7 (Windows Vista). The Red X error will not allow to compose a new message, reply to an email, or create a new task, note, journal entry, or an appointment. It may also not allow change any configuration in the Outlook Web Access options folder. The body of the message is grayed out, or has a Red X as below:

On a computer on which you have installed update 912945, you must first click one time in the compose frame in Outlook Web Access before you edit text. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

912945: (http://support.microsoft.com/kb/912945/) Internet Explorer ActiveX update

On a computer on which you have installed security update 912812 that is described in security bulletin MS06-013, you must first click one time in the compose frame in Outlook Web Access to activate the edit control.

Impact of the update when installed on a desktop

Installing the Update 912945 or 912812 on a computer which uses Internet Explorer 6 causes Internet Explorer to now prompt before the control is enabled and used.

Thus Internet Explorer 6 with this update installed will now prompt that you click one time on ActiveX control to enable the edit control.

Example Picture:

Impact on OWA

Since Outlook Web Access uses ActiveX controls heavily this could mean clicking to enable a control whenever we click on Compose a new e-mail message , Reply to an e-mail message, Create a new contact, or appointment to name a Few.

Example Picture:

Windows Vista

This also affects OWA when accessed from Windows Vista as Windows Vista no longer includes support for the ActiveX control that is used for HTML editing in Outlook Web Access.

ActiveX controls are unsafe for IE users who turn on the browser's ability to download and activate ActiveX controls within a web page. The problems occur when a user surfs to a non-trusted web page and that web page contains a malicious ActiveX control. This is a very common means of distributing spyware; the easiest way to avoid it is to not install ActiveX controls from non trusted sites. This is the reason why ActiveX control is eliminated from IE 7.

Solution

Exchange 2000/2003:

On an Exchange 2000/2003 server installing update 911829 on the Exchange server enables a new editor for Internet Explorer. The new editor uses an Internet Explorer "iframe" instead of an ActiveX control. Thus after you apply update 911829, you are not required to first click to enable a control in the compose frame of Outlook Web Access before you edit text.

In Case of other websites which use ActiveX:

If you are a Web site owner, you can rewrite your Web pages so that users are never presented with a tooltip or a dialog box.

The following MSDN link gives us how.

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/activating_activex.asp

Compatibility Patch:

A compatibility patch that will disable the behavior of the Internet Explorer ActiveX update has also been released. (Update 917425) Note that this patch is temporary, and will only apply to KB 912812. This IE compatibility patch will not be available for future security updates. 

Pre - Internet Explorer 6

Since this update is currently released for Internet Explorer 6 only this would not cause any behavior change when a pre-Internet Explorer 6 browser is used.

Additional Reading

http://support.microsoft.com/kb/912945

http://support.microsoft.com/kb/911829

http://support.microsoft.com/kb/917425

While at issues surrounding Internet Explorer and OWA, you might want to also check our previous post on Exchange 2003 SP2 SMIME update released (KB 924334) - resolves compatibility with IE 7.

- Manoj Dhadwal

Published Thursday, November 16, 2006 11:11 AM by Exchange
Filed Under: , , ,

Comments

 

Ricky Simons said:

Thank you, I have been looking for a way to resolve this.
November 16, 2006 3:39 PM
 

Pablo said:

What happens if I apply this hotfix first in all the front-end servers but not in the cluster backend servers? We need to guarantee roll back to our customers and we would like to apply this hotfix progressively.
November 19, 2006 9:49 AM
 

Manoj Dhadwal said:

Hi Pablo,

For this resolution to work, you must apply the hotfix to both the front-end server and to the back-end server.

Thanks,
November 21, 2006 1:07 AM
 

Topaz said:

Microsoft does not control the way I use Internet Explorer. I reversed engineered all the cumulative security update for Internet Explorer to remove the ActiveX changes but leave in any bonafide security updates.

I do what I want, not what Microsoft wants.
December 14, 2006 9:24 PM
 

Andrew said:

I've installed this on our front and backend servers (Exchange 2003, Windows 2003) and have noticed that now some Windows Mobile and Blackberry phones have trouble connecting via to mail via IMAP. Has anyone run into issues like this after installing this hotfix?
December 19, 2006 10:19 AM
 

AntiTopaz said:

Topaz, you're strange.
February 10, 2007 10:16 AM
 

IEBlog said:

Hi, I’m B. Ashok, the Product Unit Manager for Web Development Tools . As mentioned in my earlier post
March 14, 2007 4:43 PM
 

This Old Code said:

March 14, 2007 7:31 PM
 

Windows Vista Blog - Alles rund um Windows Vista » Outlook Web Access (OWA) mit IE7 und Windows Vista said:

PingBack from http://www.vista-blog.de/outlook-web-access-owa-mit-ie7-und-windows-vista/
March 15, 2007 5:34 AM
 

Windows Vista Blog | ZDNet.de Test & Tech » Blog Archiv » L?sung f?r Probleme mit Outlook Web Access unter Vista said:

PingBack from http://cgi.zdnet.de/vista/?p=28
March 18, 2007 1:31 PM
New Comments to this post are disabled

News

This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Use of any included script samples are subject to the terms specified in the Terms of Use.
New! Would you like to suggest a topic for the Exchange team to blog about? Send suggestions to us.

Exchange Server 2010 - Get the Beta

Poll:

Other Exchange Blogs from MSFT

Other Cool Places

International

[MS] Exchange Blogs

[MVP/Community] Blogs/Sites