ActiveX Kill Bit Can Be Bypassed - Another Reason to Apply MS05-054?

Published: 2006-01-30
Last Updated: 2006-01-30 18:44:50 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)
ISC reader Juha-Matti Laurio pointed out a new vulnerability note VU#998297, published by US-CERT on January 26, 2006, which states that a malicious website can bypass an ActiveX kill bit by taking advantage of a bug in Internet Explorer.

A kill bit is a registry setting that prevents Internet Explorer from running the corresponding ActiveX control even if the control is installed on the system. It is not uncommon to proactively set kill bits for known malicious ActiveX controls as part of a spyware-prevention effort. For example, the SpywareGuide website provides a freely downloadable .REG file for setting kill bits of many "dubious" ActiveX controls.

The VU#998297 vulnerability demonstrates the limitation of relying on kill bits as the sole mechanism for protection against malicious ActiveX controls.

The US-CERT article implies that this vulnerability was fixed by the MS05-054 patch, which was released in December 2005. Strangely, Microsoft's MS05-054 advisory did not mention any bugs related to kill bits. Perhaps the kill bit flaw is a specific problem related to the COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831), which was covered in MS05-054. Strangely, US-CERT lists a different CVE number (CVE-2006-0057) when discussing the kill bit problem.

So, as far as I can tell, you can address the kill bit vulnerability by installing Microsoft's MS05-054 patch, though I am not quite sure of that.

Update: The MS05-054 bulletin contains the following phrase, which reinforces the theory that this patch addresses the kill bit vulnerability: "This cumulative security update also includes the checks that were introduced in Microsoft Security Bulletin MS05-052 before a COM object is allowed to run in Internet Explorer. The intent of this change is to prevent COM objects that were not designed to be instantiated in Internet Explorer from being instantiated in Internet Explorer."

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
Keywords:
0 comment(s)

Comments


Diary Archives