Blocking Flash, Shockwave, Silverlight controls from activating in Office Applications for Security

May 14, 2018
The original article is published on the Microsoft Tech Community Security, Privacy and Compliance Blog.

Today we are announcing an upcoming change to Office that blocks activation of Flash, Shockwave and Silverlight controls within Office.

We are taking this step based on the following factors:

  1. Use of some these controls in exploit campaigns to target end users of Office.
  2. Low observed use of these controls within Office.
  3. Upcoming end of support for some these components
    1. On July 2017, Adobe announced that Flash will no longer be supported after 2020. Major browsers including Edge, Chrome, Safari and Firefox have announced their respective roadmaps for ending support for Flash.
    2. Silverlight is expected to reach end of support in 2021 with support for several browsers and OS platforms already ended in 2016.

Note: This change only applies to Office 365 subscription clients. It will not apply to Office 2016, Office 2013 or Office 2010.

Customers who wish to enforce this behavior now in Office 365 subscription clients or in Office 2016 perpetual and down level versions can use the guidance published here to block controls targeted by this change.

Furthermore, customers can also take advantage of the recently published Security Baseline for Office 2016 that includes a custom Group Policy that blocks Flash.

What does this update block?

This change blocks the activation of the following controls within the Office process.

Control

CLSID

Flash

D27CDB6E-AE6D-11CF-96B8-444553540000

D27CDB70-AE6D-11CF-96B8-444553540000

Shockwave

233C1507-6A77-46A4-9443-F871F945D258

Silverlight

DFEAF541-F3E1-4c24-ACAC-99C30715084A

Some examples of scenarios that would be impacted by this change are:

  1. Controls directly embedded in an Office document, for example, Flash video directly embedded within a PowerPoint document using the Insert Object functionality
  2. Controls invoked by extensibility components within the Office process, for example, Power View add-in that uses Silverlight

Note: this change does not cover scenarios where these controls are activated outside the Office process, for example, a Flash video inserted into a document via the Insert Online Video functionality.

When would this block take effect?

This change only applies to Office 365 subscription clients and is targeted to take effect in the following order

  1. Controls are blocked in Office 365 Monthly Channel starting in June 2018.
  2. Controls are blocked in Office 365 Semi Annual Targeted (SAT) Channel starting in September 2018.
  3. Controls are blocked in Office 365 Semi Annual (SA) Channel starting in January 2019.

Can I unblock these controls if I need to?

Yes. While we are confident that this will not impact most Office users, we do understand there is potential to impact some of our users and we apologize for the inconvenience caused as a result.

Please refer to support guidance published here if you need to unblock controls critical to your workflow.  

In closing, we believe this is another step forward in elevating the security of Office. One that protects our users from malicious attacks without disrupting day to day productivity for most of them.

Discuss this article in the Microsoft Technical Community.