Summary
A cumulative security update has been recently released for Internet Explorer 6 for Microsoft Windows XP Service Pack 2 and Microsoft Windows Server 2003 Service Pack 1. This update changes the way in which Internet Explorer handles some Web pages that use ActiveX controls and Java applets. As we have seen some questions around this, we wanted to cover them here.
The below document describes the changes that this Update introduces, how it affects Outlook Web Access and how we can mitigate the effects of this change.
What has changed and why
A Cumulative security update for Internet Explorer (MS06-013) introduced a change in the way IE handles Web pages that use ActiveX controls and Java applets.
After you install this update, you cannot interact with ActiveX controls from certain Web pages until these controls are enabled. This change was deemed necessary for security reasons to avoid the remote code execution. Outlook Web Access is affected by this change as follows:
Symptoms related to Exchange
We see red X in the body of Outlook Web Access (OWA) email, when we use OWA with IE 7 (Windows Vista). The Red X error will not allow to compose a new message, reply to an email, or create a new task, note, journal entry, or an appointment. It may also not allow change any configuration in the Outlook Web Access options folder. The body of the message is grayed out, or has a Red X as below:
On a computer on which you have installed update 912945, you must first click one time in the compose frame in Outlook Web Access before you edit text. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
912945: (http://support.microsoft.com/kb/912945/) Internet Explorer ActiveX update
On a computer on which you have installed security update 912812 that is described in security bulletin MS06-013, you must first click one time in the compose frame in Outlook Web Access to activate the edit control.
Impact of the update when installed on a desktop
Installing the Update 912945 or 912812 on a computer which uses Internet Explorer 6 causes Internet Explorer to now prompt before the control is enabled and used.
Thus Internet Explorer 6 with this update installed will now prompt that you click one time on ActiveX control to enable the edit control.
Example Picture:
Impact on OWA
Since Outlook Web Access uses ActiveX controls heavily this could mean clicking to enable a control whenever we click on Compose a new e-mail message , Reply to an e-mail message, Create a new contact, or appointment to name a Few.
Example Picture:
Windows Vista
This also affects OWA when accessed from Windows Vista as Windows Vista no longer includes support for the ActiveX control that is used for HTML editing in Outlook Web Access.
ActiveX controls are unsafe for IE users who turn on the browser's ability to download and activate ActiveX controls within a web page. The problems occur when a user surfs to a non-trusted web page and that web page contains a malicious ActiveX control. This is a very common means of distributing spyware; the easiest way to avoid it is to not install ActiveX controls from non trusted sites. This is the reason why ActiveX control is eliminated from IE 7.
Solution
Exchange 2000/2003:
On an Exchange 2000/2003 server installing update 911829 on the Exchange server enables a new editor for Internet Explorer. The new editor uses an Internet Explorer "iframe" instead of an ActiveX control. Thus after you apply update 911829, you are not required to first click to enable a control in the compose frame of Outlook Web Access before you edit text.
In Case of other websites which use ActiveX:
If you are a Web site owner, you can rewrite your Web pages so that users are never presented with a tooltip or a dialog box.
The following MSDN link gives us how.
Compatibility Patch:
A compatibility patch that will disable the behavior of the Internet Explorer ActiveX update has also been released. (Update 917425) Note that this patch is temporary, and will only apply to KB 912812. This IE compatibility patch will not be available for future security updates.
Pre - Internet Explorer 6
Since this update is currently released for Internet Explorer 6 only this would not cause any behavior change when a pre-Internet Explorer 6 browser is used.
Additional Reading
http://support.microsoft.com/kb/912945
http://support.microsoft.com/kb/911829
http://support.microsoft.com/kb/917425
While at issues surrounding Internet Explorer and OWA, you might want to also check our previous post on Exchange 2003 SP2 SMIME update released (KB 924334) - resolves compatibility with IE 7.