RSSDon't wait for Microsoft's patch: Secure Windows now from Monday's 0-day
By Scott M. Fulton, III | Published July 6, 2009, 3:44 PM
There's an old ActiveX control hanging around many Windows systems that's still accessible to Internet Explorer, whose original purpose was to tune into MPEG2 transport streams -- typically live video streams sent from a server using MPEG2 format. Yes, MPEG2 transport streams still exist, but any more, browsers including IE8 have appropriate plug-ins to handle them -- Windows Media Player is one, Apple's QuickTime is another.
But still there's this ActiveX control sitting there doing nothing, waiting to be leveraged for an attack. Earlier today, Microsoft acknowledged a SANS Internet Storm Center report saying that there's an active exploit of this disused bit of functionality published on Chinese Web sites. Apparently malicious users are utilizing it now in "drive-by" attacks that could result, say security experts including Sophos' Graham Cluley, in installation and execution of nearly any malicious payload.
This morning, Microsoft security engineer Chengyun Chu noted that in order for a Web site to use this exploit to deliver this payload, the user would need to click on a link that launches that Web site. That makes Outlook relatively safe if that link is embedded in the type of e-mail message that says, "Check this out!" just so long as the user doesn't click on that link. In other words, the code cannot be triggered automatically through Microsoft's e-mail client.
While Cluley and others are chiding Microsoft for not coming up with a patch, the sad fact is, it actually might not need to. In this morning's security advisory, the company admitted right up front that its current set of engineers have forgotten what this ActiveX control was ever needed for: "Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control," the security advisory reads. "For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer."
In the meantime, the company is recommending that users remove support for this control themselves. It's an easy process for anyone who's ever used REGEDIT before, although it's just a little arduous -- there are as many as 45 possible CLSID numbers for this single control (which shows you how ridiculous the ActiveX control management process was in its heyday). The security advisory lists them all, although you do not need to go through Microsoft's advised steps of cutting and pasting them all individually into Notepad (talk about making something more difficult than it has to be!).
Instead, you can use our much simpler method of making certain your Windows installation is safe by doing the following:
1. Open Security Advisory 972890 and scroll down to General Information. Open the Suggested Actions tier, followed by Workarounds, and scroll down until you see the long list marked Class Identifier.
2. Start the Windows Registry Editor (REGEDIT). (For Vista, you may need to click on Continue at the UAC prompt.)
3. In the left pane, open the folder corresponding to the Registry tier \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility. The good news here is that all the CLSIDs in this segment of the Registry, and all the CLSIDs in Microsoft's warning list, are in hexadecimal numerical order, so you won't have to search each one from top to bottom.
4. Scan the Registry to see if any of the CLSIDs correspond exactly to any of the 45 Registry items flagged by Microsoft. More than one may correspond. If none correspond, you are already safe from this exploit. Betanews was unable, for example, to find any of the 45 Registry entries on our Windows XP or Vista systems, and we don't expect to see it in Windows 7.
5. If you do find an offending CLSID, then do not delete it. That actually won't change anything at all, believe it or not. Instead, choose its entry from the left pane.
6. Check the right pane for a value named Compatibility Flags. If it does not yet exist, you'll need to create it. Right-click on the empty space in the right pane, and from the popup menu, select New, Binary Value. A new listing will be created that moment, which you'll need to rename. Type Compatibility Flags and Enter.
7. Right-click on Compatibility Flags and from the popup menu, select Modify. In the Edit DWORD Value dialog box, under Value data, type 400, leave the Base setting on Hexadecimal, then click on OK. Repeat this process for all the remaining CLSIDs in Microsoft's list.
What this does is set the kill bit for the control. It's still registered (and it's still taking up space on your hard drive, doing nothing), but now it's at least turned off, so it can't be leveraged in an attack.
You're making it WAY more complicated than it should be!
Trebor is right - Just go to the referenced MS URL:
- http://support.microsoft.com/kb/972890#FixItForMe
... and click ONCE (Enable workaround) - then run it!
Score: 2
|PC-Tech1 way of showing how to do this fix is A LOT better than scanning for 45 CSID's! Kudos
PC-Tech1
Score: 1
|I understood nothing . Thank you.
Score: 0
|LOL. Got Mac?
Score: -1
|Nope!
No Mac, don't need this patch, *and* I saved hundreds!
PC: Better than Geico.
Score: -2
|just use another browser.
problem solved.
microsoft pays the price.
Score: 0
|Ummm...
why not just delete the ActiveX's DLL/OCX file? Wouldn't that end the problem immediately?
Score: 0
|Oh and by the way I'm presently running Windows 7, and most think I'm talking out my a** which I usually don't 'cause I would sound funny let alone the "smell"....ha ha ha. Stop running Older OSs if you can afford too upgrade as the Older ones get cracked more often (flaws) Exploits...etc.
Score: 0
|This exploit is "mitigated by updating" to the latest version of IE 8 if your a home user and you haven't now is the time. This exploit primarily affects Windows version XP and Windows Server 2003 and OSs (Windows older versions) 2000 etc.
It has to do with an Active X control that corrupts a Direct X control but only on older versions Of Windows not running the latest version of Internet Explorer. This would affect corporations that utilize Older versions of IE because of compatability requirements and their System Administrators should lock out the Registry Keys setting the "Kill bits".
The average home user should not attempt to "Regedit" their systems just update your browser to IE 8 and get "some sleep". Folks get all bent out of shape every time some flaw pops up. Microsoft is working on a patch but updating IE to 8 fixes this zero day crap for most Home Users.
Don't go patching just anything into your "registry ever". You could cause worst issues as you never know what other program may be broken looking for a fix.
Microsoft won't ever take responsibility for "you breaking" your registry.....you may just end up make "more work" for yourself.
Score: 0
|I will not be getting the patch. I run an O.S that doesn't rely on the Mc Donalds of the software world to provide its patches.
Thank god for Linux is all I can say or I would still be suffering stuff like this!
Score: 0
|...
You're so cool! (heavy sarcasm)
Huh..
I don't use Linux...*and* I don't have to worry about this.
Score: -2
|Sure, you might not be getting this patch, but my Ubuntu just downloaded several patches. granted, none were for a remote exploit and Linux is not infected with the broken by design of ActiveX and the broken/insecure by design of the Windows Registry
Score: 0
|Vista is not vulnerable ==> yet another reason to use Vista!
Score: 1
|Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C15D484-911D-11D2-B632-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{334125C0-77E5-11D3-B653-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B0353C-A4C8-11D2-B634-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03543-A4C8-11D2-B634-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{418008F3-CF67-4668-9628-10DC52BE1D08}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{577FAA18-4518-445E-8F70-1473F8CF4BA4}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DC47A8-116C-11D3-9D8E-00C04F72D980}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{823535A0-0318-11D3-9D8E-00C04F72D980}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4C-1F63-11D3-B64C-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4D-1F63-11D3-B64C-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9CD64701-BDF3-4D14-8E03-F12983D86664}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E3074E-6C3D-11D3-B653-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0EDF163-910A-11D2-B632-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B64016F3-C9A2-4066-96F0-BD9563314726}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB530C63-D9DF-4B49-9439-63453962E598}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCC-9B79-11D3-B654-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CD0-9B79-11D3-B654-00C04F79498E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}]
"Compatibility Flags"=dword:00000400
copy paste save it as something.reg double click
Score: -1
|Isn't everyone who has the ability to implement this fix already smart enough to be using a browser without ActiveX? :p
Score: 2
|Running Vista Bussiness with IE8 I dont have a single key. No worries then.
Score: 0
|Another sensationalistic headline to scare people and it really doesn't amount to a bucket of crap. Sorry Fatty you're s*** out of luck. I don't know what is worse the poor excuse for writing (1.8 exploits on another article...(echo echo echo) or those idiots walking in the city i live and love or intentionally scaring people.
change made in order to keep the King of Geekdom, fatty and internetworld at bay. "Those that have nothing to say nitpick". I believe Angela Gunn made a similar point.
Score: 3
|"poor excuse for writing (1.8 exploits on another article...(echo echo echo) or the the those idiots"
*emphasis added
There's a rule somewhere....relating to the critiquing of an others spelling or grammar resulting in a post with worse. Can't remember the name of it off-hand.
(those with a sense of humor can take a bit of a jab without whining incessantly about it in topic after topic...though I guess it takes just a bit more maturity than you can muster at this point, eh?)
Score: -1
|I tested this vuln on a VM XP IE8 patched box with user level perms hitting the site and it did nothing. Not gonna bother with group policy pushouts.
Score: 0
|Microsoft's website "fix it for me" is here http://support.microsoft.com/kb/972890#FixItForMe
Score: 6
|45 reg keys on 200+ workstation and 20 servers. My boss is so not gonna pay out the over time for that.
Score: 0
|Why not just use a group policy push? or some other systems management tool? I have yet to meet a business as large as the one you state that doesnt utilize some sort of systems management, patch management or group policy to aide in administration.
Score: 0
|"45 reg keys on 200+ workstation and 20 servers. My boss is so not gonna pay out the over time for that."
Overtime? You can write a script to do this in less then 5 minutes.
Score: 1
|So let me get this straight: they're patching this next Tuesday?
I can't be bothered to go through a list of 45 registry items.
Score: 0
|Let me remote into your system, I'll do it for free. LOL
Score: 1
|"I can't be bothered to go through a list of 45 registry items."
Seriously...is scriping really that hard to grasp for betanews readers? I guess I keep making the mistake of assuming people with at least a vague understanding of system administration read this site...;/
Score: 0
|Perhaps I should elucidate my point:
Home machine - Not using IE.
Waste of my time.
Score: 0
|"For Windows XP and Windows Server 2003 customers..."
Vista, WS2k8 are not vulnerable to this exploit then?
...I suppose that makes it a left-over from IE6 then. Will this control be active/accessible on systems running IE7 or 8?
Scott?
Score: 0
|Considering the picture is from Vista...I'm guessing this does affect Vista PCs?
Score: 0
|From the microsoft website listed in this article:
"Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted."
Score: 2
|http://www.microsoft.com...ty/advisory/972890.mspx
According to this advisory Vista is NOT affected.
Mitigating Factors: Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.
Sorry FixXxeR posted first
Score: 3
|"Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted."
take that vista haters :P
Score: 3
|@vikampion:
Don't trust the pictures. (Similar to rule number one of Christmas Presents, "Don't trust the Box".)
It's gotta be pretty high up there on the "Rules of Betanews".
;)
Score: 0
|