The CLSID for an ActiveX control is a GUID for that control. You can prevent an ActiveX control from running in Internet Explorer by setting the kill bit so that the control is never called by Internet Explorer when default settings are used.
The kill bit is a specific value for the Compatibility Flags DWORD value for the ActiveX control in the registry. This is different from revoking the "safe for scripting" option in an ActiveX control. When the "safe for scripting" option is revoked, Internet Explorer still calls for the control and then prompts you with a warning message that the ActiveX control may be unsafe. Depending on the choice you make, the control may be run. However, after the kill bit is set for an ActiveX control, that control is not called by Internet Explorer at all unless the Initialize and script ActiveX controls not marked as safe option is enabled in Internet Explorer. To set the kill bit, follow these steps:
- Determine the CLSID for the ActiveX control that you want to disable. If you are not sure of the CLSID for the control, contact the manufacturer. If the control is installed, you may be able to determine its CLSID if you know its friendly name. To do this, examine the Default string value for the ProgID key for each of the CLSID keys in HKEY_CLASSES_ROOTCLSID. You may have to remove as many ActiveX controls as possible, except for the one that you want to disable, to make it easier to identify the appropriate CLSID. For more information about how to remove ActiveX controls, click the following article number to view the article in the Microsoft Knowledge Base:
154850 (http://support.microsoft.com/kb/154850/ ) How to remove an ActiveX control in Windows
- Use Registry Editor to view the data value of the Compatibility Flags DWORD value of the ActiveX object CLSID in the following registry key
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX CompatibilityCLSID of the ActiveX control
where CLSID of the ActiveX Control is the class identifier of the appropriate ActiveX control.
Note Typically, you will have to manually create this registry key. - Change the value of the Compatibility Flags DWORD value to 0x00000400.
If a killbit is set for an ActiveX control and a new version of an ActiveX control is released with a different CLSID, you can enable Web sites that use the old CLSID to continue to work as intended. You do this by adding the new value at the same level as the Compatibility Flags value in the registry. This value should be a REG_SZ string that is named "AlternateCLSID." The AlternateCLSID value will appear enclosed in braces. For example, it will resemble the following:
{ABCDEF12-ABCD-ABCD-ABCD-ABCDEF123456}
For example:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility
{CLSID of killed ActiveX control}, Compatibility Flags, 0x0400
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility
{CLSID of killed ActiveX control}, AlternateCLSID, "{CLSID of alternate ActiveX control}"
Internet Explorer will interpret this value and create an instance of the ActiveX control that is referenced in the AlternateCLSID value instead of the one that has received a killbit.
Note For the AlternateCLSID value to be effective, the killbit must be set on the initial CLSID.
Back to the topActiveX control developers can use the TreatAs or AlternateCLSID registry values with the "kill bit" to have Internet Explorer check to see if an updated ActiveX control has been provided for use instead of a disabled ActiveX control. For information about how to use the TreatAs value, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms679737.aspx (http://msdn2.microsoft.com/en-us/library/ms679737.aspx)
To set the AlternateCLSID value, follow these steps:
- Use Registry Editor to locate the disabled ActiveX object CLSID in the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX CompatibilityCLSID of the ActiveX control
Where CLSID of the ActiveX Control is the class identifier of the appropriate ActiveX control.
You can see the value of the Compatibility Flags is set to DWORD 00000400. - Add an AlternateCLSID string value to the CLSID key.
- Set the data of the AlternateCLSID string value to {CLSID of the alternate ActiveX control}, where {CLSID of the ActiveX Control} is the class identifier of the updated ActiveX control.
The AlternateCLSID value instructs Internet Explorer to redirect to the CLSID for the updated ActiveX control. You can chain redirects up to ten levels deep.
The AlternateCLSID value is supported on the following versions of Internet Explorer.
- Internet Explorer 5.01 Service Pack 2 or later for Windows 2000 with MS03-004 or later
- Internet Explorer 5.5 Service Pack 2 with MS02-068 or later
- Internet Explorer 6 Service Pack 1
- Internet Explorer 6 for Windows XP with MS02-068 or later
- Internet Explorer 6 for Windows Server 2003
- Windows Internet Explorer 7 for Windows Server 2003 IA64
- Windows Internet Explorer 7 for Windows XP
- Windows Internet Explorer 7.0 for Windows Server 2003
- Windows Internet Explorer 7.0 in Windows Vista
Note Versions of Internet Explorer that are not listed in this article are either in the extended phase of the product life cycle or are no longer supported. Although you can set the kill bit on these versions of Windows and of Internet Explorer, Microsoft recommends that you also upgrade to a supported version of Internet Explorer and apply all appropriate updates. For more information about how to determine the version of Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base:
164539 (http://support.microsoft.com/kb/164539/ ) How to determine which version of Internet Explorer is installed
For more information about the kill bit for ActiveX controls, see the following Microsoft Security Vulnerability Research & Defense Blog posts:
The Kill-Bit FAQ: Part 1 of 3
http://blogs.technet.com/srd/archive/2008/02/06/The-Kill_2D00_Bit-FAQ_3A00_-Part-1-of-3.aspx (http://blogs.technet.com/srd/archive/2008/02/06/The-Kill_2D00_Bit-FAQ_3A00_-Part-1-of-3.aspx)
The Kill-Bit FAQ: Part 2 of 3
http://blogs.technet.com/srd/archive/2008/02/07/The-Kill_2D00_Bit-FAQ_3A00_-Post-2-of-3.aspx (http://blogs.technet.com/srd/archive/2008/02/07/The-Kill_2D00_Bit-FAQ_3A00_-Post-2-of-3.aspx)
The Kill-Bit FAQ: Part 3 of 3
http://blogs.technet.com/srd/archive/2008/02/08/The-Kill_2D00_Bit-FAQ_3A00_-Part-3-of-3.aspx (http://blogs.technet.com/srd/archive/2008/02/08/The-Kill_2D00_Bit-FAQ_3A00_-Part-3-of-3.aspx)
Information for application vendors
Application vendors that have security issues with an ActiveX control that they…
Application vendors that have security issues with an ActiveX control that they own may request that Microsoft issue a kill bit to prevent their ActiveX control from running in Internet Explorer. Approved requests will be processed in a future Update Rollup for ActiveX Kill Bits Security Advisory. Microsoft will issue a kill bit only for ActiveX controls that are found to have a vulnerability, and only if the owning independent software vendor (ISV) has already produced an updated version of their ActiveX control. ISVs that have vulnerable ActiveX controls can e-mail requests to [email protected] together with answers to the following questions:
- What is the public URL for the updated ActiveX control?
- What is the CLSID of the requested ActiveX control to receive a kill bit within Internet Explorer?
- Has this updated ActiveX control received a new CLSID that sets a kill bit to the vulnerable CLSID in the process? The process to do this is documented in this Knowledge Base article.
- Is the requested ActiveX control marked as safe-for-scripting or safe-for-initialization?
- Are there older versions of the requested ActiveX control? If the answer is "yes," what are their CLSIDs?
- What is the primary delivery mechanism to consumers for the requested ActiveX control?
- What is the public URL for the ISV Advisory that discloses the vulnerability?
Reference: http://support.microsoft.com/kb/240797
