Today we are announcing an upcoming change to Office that blocks activation of Flash, Shockwave and Silverlight controls within Office.
We are taking this step based on the following factors:
Note: This change only applies to Office 365 subscription clients. It will not apply to Office 2016, Office 2013 or Office 2010.
Customers who wish to enforce this behavior now in Office 365 subscription clients or in Office 2016 perpetual and down level versions can use the guidance published here to block controls targeted by this change.
Furthermore, customers can also take advantage of the recently published Security Baseline for Office 2016 that includes a custom Group Policy that blocks Flash.
This change blocks the activation of the following controls within the Office process.
Control |
CLSID |
Flash |
D27CDB6E-AE6D-11CF-96B8-444553540000 D27CDB70-AE6D-11CF-96B8-444553540000 |
Shockwave |
233C1507-6A77-46A4-9443-F871F945D258 |
Silverlight |
DFEAF541-F3E1-4c24-ACAC-99C30715084A |
Some examples of scenarios that would be impacted by this change are:
Note: this change does not cover scenarios where these controls are activated outside the Office process, for example, a Flash video inserted into a document via the Insert Online Video functionality.
This change only applies to Office 365 subscription clients and is targeted to take effect in the following order
Yes. While we are confident that this will not impact most Office users, we do understand there is potential to impact some of our users and we apologize for the inconvenience caused as a result.
Please refer to support guidance published here if you need to unblock controls critical to your workflow.
In closing, we believe this is another step forward in elevating the security of Office. One that protects our users from malicious attacks without disrupting day to day productivity for most of them.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.