MS06-013 – Click to activate and use this control

May 2, 2006 at 8:47 pm 28 comments

In April, Microsoft released a cumulative security update, MS06-013, which effected Internet Explorer's handling of objects such as ActiveX controls and Flash. Basically, before a user can interact with these items, they would have to click on it first to "Activate" the control. Until then, when you hover over the control it reminds you, "Click to activate and use this control"

Example of MS06-013 prompt

Items that don't require user interaction (such as a Flash introductory movie that runs on your homepage) aren't affected and run as normal. But items that do require the user to type in, click on, hover over or otherwise interface with the item would be affected. So for example, if you have a navigation bar at the top of your page done in Flash the user would now have to click twice– once to activate the control and once to click on the desired destination.

On the client-side Microsoft has released a "Compatiability Patch" to undo this particular behavior to Internet Explorer, but this reprieve is not permanent (They intend of making the activation behavior official in June). There are also options one can do to the actual code. It turns out, if you load the options externally (via JavaScript), they are automatically activated and the extra clicks are avoided.

So far, I have been involved in the update of two web applications to handle this change (one for an ActiveX control and one for Flash) and have found the workaround extremely easy and quick to implement. This evening I timed myself– it took just four minutes to move the appropriate Flash references to an external JavaScript file and subsequently bypass the activation need.

The MSDN article on Activating ActiveX Controls will describe additional options, but I'm going to walk you through the solution we've been using.

Open up the source code of your web page in the editor of your choice.
Highlight and cut the source code of your ActiveX/Flash control
Open up a brand new text file (in Notepad or your editor of choice) and paste in the cut text.
Surround each line of text with document.write(' and ');
Save your new text file as a .js file in a directory that is appropriate. (Perhaps an includes directory or maybe a javascript directory)
Return to the original source code and where we cut the code out, you want to insert <SCRIPT Language="JavaScript" SRC="path/filename.js"></SCRIPT>, making sure to fill in the appropriate path and filename of your new .js file.
Save your changes to your original source file.

Once those changes are applied, when a user loads the page, they will be able to interact with the control immediately. No need for Compatiability Patches or extra clicks here.

Entry filed under: ActiveX, Flash, MS06-013, Web Development.

Word 2003 – The Find What text contains a Pattern Match expression which is not valid. Update: Letter to Lansing City Council about Malcolm X

28 Comments Add your own

1. ClintJCL | May 4, 2006 at 8:16 am

Well, the update was to increase awareness and fight, and that’s a Good Thing. I understand why you are doing this, but I think management would be better off NOT avoiding security improvements. People should be able to learn how to click ‘yes, i want this’, rather than leaving their computers open to drive-by downloading the rest of their lives! I can’t agree with this. 🙂 But the technicality is neato! I love workarounds.
Reply
2. tgaw | May 4, 2006 at 9:05 pm

Hey, thanks for posting!

I can see where you are coming from. Never fear, however! Internet Explorer has already safeguarded the user and their organization with a plethora of prompts before this point is even reached.

With the default IE security settings and assuming the site is in the “Internet” zone, the prompts the user will see typically see when trying to install an ActiveX control (it would be very similiar with Macromedia) are as follows:

1) Internet Explorer’s yellow information bar slyly displays at the top of the browser saying, “This site might require the following ActiveX control: … Click here to install…”

2) After one clicks the “Click here”, they get a dropdown and from which they have to select the “Install ActiveX Control” option. The page then refreshes.

3) Once the page refreshes, Internet Explorer pops up a message box saying “Do you want to install this software?”.

4) The user clicks one last time on the “Install” button on that latest prompt.

At this point, assuming the user has permissions to install software and programs on their machine (a lot of organizations have that locked down) the component is actually installed.

Anyway, in order to get the component installed the user has expressed their intent three times.

Now, I, personally, have not been too bothered by the extra clicks by MS06-013. In fact, the very first time I was testing a control out under MS06-013 and was *specifically* on the lookout for changed behavior, I didn’t even notice it!

Know why? My clicks tend to be less than accurate. I am very used to missing my intended target. As a result, if I click on something and I don’t get a response– I immediately click on it again without even thinking about it! 🙂 My colleague, Derek (http://dpinkerton.blogspot.com), pointed out my subconscious second click!

Nonetheless, I can certainly see how it would be perceived as burdensome. You’ve already committed to the control– you shouldn’t have to reactivate it each and every time you go to the page.

Thanks again for posting!
Reply
3. tgaw | May 4, 2006 at 9:26 pm

I do have a related story. I’m telling it third-hand, so there may be inaccuracies.

My father-in-law works at a shop which amoung other things, sells lawnmowers. He had a story with a riding lawn mower. In order to make the blades run while you were *not* sitting on it, you had to disable something along the lines of eighteen safety locks and guards.

Somewhere in this great country of ours, an idiot did just that. And guess what– he had an accident! It resulted in the loss of at least one finger.

He sued the company that manufactured the lawnmower…. and won!
Reply
4. Clint | May 6, 2006 at 2:30 pm

Everytime you go to the page?!?! I thought it was just a onetime thing to install the plugin. Ugh.

I’m so glad I use Firefox. Nothing [inside of my house] has improved my internet experience more.

The lawnmower thing — just typical!
Reply
5. tgaw | May 6, 2006 at 7:05 pm

Yup– every time you go to that page!

I get to see it in action whenever I go to my blog stats. You know how that Last 30 Days Chart will tell you the exact hit count when you hover over a day? Well, I have to click to activate first– and then I can hover over and see the count. 😉
Reply
6. William Chenoweth | May 16, 2006 at 7:04 pm

works great. I love it when it takes 5 seconds to do a google search for something you want quick answers for and there are great people like you with simples answers 😉 BTW fyi i searched ‘how to bypass click to activate’
Reply
7. tgaw | May 16, 2006 at 9:31 pm

Awesome– glad the information was helpful!
Reply
8. Jessica Murphy | May 17, 2006 at 3:17 pm

Thanks so much for posting this! I knew there had to be a simple solution!

I’ve been surprised how many big sites have yet to fix this problem. For example:

http://www.upn.com
http://www.oprah.com
http://www.cbs.com
Reply
9. Patty | May 18, 2006 at 6:56 am

thankyou very much for this script… as a developer it is very annoying having to make users click twice just to enable a simple flash file… THANKYOU
Reply
10. Colin | May 23, 2006 at 6:59 am

Hi,

I know it is a bit of a shameless plug but we have developed a free bit of software to apply the same sort of workaround to any website files within a folder.

Can be downloaded here: http://www.setsquareassist.com/websiteconverter.htm
Reply
11. Max | May 29, 2006 at 10:21 am

I used your very useful and well documented work around to fix my client’s web site and then sent this email to my client:

“FYI, I fixed the “double click” issue with the Flash in MS IE using a scripting trick. Apparently, Mother MS in their infinity wisdom decided to add that highlight and click before using “feature” in April to IE. They are really quite amazing with the automaticity of their featuralization additationalisms. Why, at the rate they are going, with the supreme automatilizationalisms they are adding, I think within the foreseeable future they will render their OS completely useless.

The best upgrade for Windows is going to be Linux. Mark my words.”
Reply
12. Nerdx | June 2, 2006 at 6:15 pm

This didn’t work for me 😦 Is there something in particular you must do? I just went straight down onto that page to ‘Download Information’ and selected the one for my operating system.

~ Nerd
Reply
13. tgaw | June 2, 2006 at 10:03 pm

Are you talking about Microsoft’s compatiability patch? In my efforts, the issue was circumvented server-side by changing the code. As a result, I personally did not do any testing with Microsoft’s compatiability patch.

One quick note– it was Microsoft’s original intention to only allow the Compatiability Patch to work until June. If they kept to their word and you already installed their latest updates, that could be the issue as well. If not, just keep in mind– that is something they are hoping to strip away in the future.

It keeps life interesting! 🙂
Reply
14. Laurent | June 5, 2006 at 3:38 am

Hi,
There is an ASP.NET 2.0 web control wich is compatible with this issue, you can find it there : http://www.flash-control.net
Reply
15. Christina | July 9, 2006 at 7:54 pm

Thank you, Thank you! I’ve spent weeks trying to resolve this issue on my site. I’ve tried several so-called fixes from several different websites, and as a newbie to flash and script, all the other sites instructions were beyond me, but I tried them and couldn’t get any of them to work. But then I found this. This works and it is so simple. I had to use it on two different flash embedded objects on the same page. It only took 10 minutes. Thanks again!
Reply
16. Hervé | August 7, 2006 at 6:32 am

hello from France.
Great – it works.
And I have tried many other supposed fixes that never workd before.
Reply
17. helyn | August 13, 2006 at 12:09 pm

Thank you for posting this fix … very seamless, and excellent directions.
Reply
18. Nick | September 24, 2006 at 7:03 am

Now I aploigize if I’m kinda igorant – but I have this same issue with my IE – but its on multiple pages, I don’t have a website. So, is there a fix for the entire IE? Can I just uninstall the security patch from microsoft to resolve this issue?
Reply
19. christina | October 7, 2006 at 5:23 pm

hello, i installed active x and every box i come across does this.. if the mouse hovers over it, it highlights and i have to click on it to activate it.. and it says “click to activate and use this control” is there some way i can get this off of here?? i find it highly annoying..
Reply
20. tgaw | October 9, 2006 at 5:36 pm

Christina and Nick, I don’t believe there is anything you can do at this point. Microsoft originally had a compatiability patch out which let you revert your Internet Explorer to the previous behavior, but it was my understanding that patch was only good through June 2006.

Of course, you can write the webmasters of those sites and point them to this article on how to fix it server-side. 😉
Reply
21. rajshekar | November 10, 2006 at 1:38 am

thanks for for the solution this problem was my biggest headache.hope you will continue to do the good work. keep it up!!!
Reply
22. Paul | November 13, 2006 at 3:36 pm

hi, ive tried to follow the instructions but it just doesnt seem to work!what am i doing wrong?please help this is doing my head in!!!!arrrgggghhh!!!!
Reply
23. tgaw | November 13, 2006 at 5:39 pm

Paul, do you have a link to the work you’ve already done? I’ll be happy to take a peek.
Reply
24. Paul | November 14, 2006 at 2:36 am

the links arent working yet, but im trying to get the flash buttons to work.I’d be really grateful,thanks alot.
Paul
http://www.completehealthandfitness.co.uk/
Reply
25. tgaw | November 15, 2006 at 1:23 pm

Hey Paul,
I believe I got your email address from the notification with your comment. I’ll email you this evening.

Vicky
Reply
26. paul_knightly | January 26, 2007 at 2:19 am

beautiful online information center. greatest work� thanks
Reply
27. Mark Jennings | August 7, 2007 at 9:54 am

I am using Object Activator to re-activate my objects. It’s fast and easy:

http://www.orontesprojects.com/objectactivator.htm

Mark
Reply
28. Dotjqpop | October 22, 2007 at 3:13 pm

alicante car enterprise rent
alicante car enterprise rent
Reply

	Tools of the trade… on Breach – What Espionage,…
	Domestic Violence La… on Introducing… the Baby…
	tgaw on Cuddling and the CPAP
	Ben Dutch made on Cuddling and the CPAP
	Ben on Cuddling and the CPAP

TGAW