ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK?

Microsoft has twisted the knife into ActiveX once again, setting Microsoft 365 to disable all controls without so much as a prompt.

The change replaces the previous default setting, "Prompt me before enabling all controls with minimal restrictions," which relied on the user understanding the implications before blithely giving permission. Since ActiveX controls reach deep into the system, allowing them to run with "minimal restrictions" can open a user's system up to malicious folk and social engineering attacks.

According to Microsoft: "The new default setting is more secure because it blocks these controls entirely, reducing the risk of malware or unauthorized code execution."

Getting ActiveX to work will require opening the Trust Center and re-enabling the prompt to allow controls. This assumes administrators have given users permission to access the ActiveX settings page.

ActiveX sprung from other Microsoft attempts at component-based engineering such as Object Linking and Embedding (OLE ...