Question,
According to the Microsoft article it looks like you need to add a whole a lot
of CSLID's that need the kill bit set, is this what everyone else is doing? So
basically adding each one of these CSLID's to a .reg file and then scheduling a
bat file to be run at the computer startup like the following?
(Call it MSVideofit.bat)
:BATFILE
Regedit -s MSactiveXVideoFix.reg
:MsActiveXVideoFix.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:00000400
ETC ETC (Down the list of CLSIDS below)
Then set a Group policy with the computer startup script at the root of your
domain, and let it rip. (So servers, workstations etc etc get the fix, you can
try it at a small OU level and reg query the registry after the system is
booted, to verify that it working
The following Class Identifiers relate to Microsoft Video ActiveX Control:
Class Identifier
{011B3619-FE63-4814-8A84-15A194CE9CE3}
{0149EEDF-D08F-4142-8D73-D23903D21E90}
{0369B4E5-45B6-11D3-B650-00C04F79498E}
{0369B4E6-45B6-11D3-B650-00C04F79498E}
{055CB2D7-2969-45CD-914B-76890722F112}
{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
{15D6504A-5494-499C-886C-973C9E53B9F1}
{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
{1C15D484-911D-11D2-B632-00C04F79498E}
{1DF7D126-4050-47F0-A7CF-4C4CA9241333}
{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
{334125C0-77E5-11D3-B653-00C04F79498E}
{37B0353C-A4C8-11D2-B634-00C04F79498E}
{37B03543-A4C8-11D2-B634-00C04F79498E}
{37B03544-A4C8-11D2-B634-00C04F79498E}
{418008F3-CF67-4668-9628-10DC52BE1D08}
{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
{577FAA18-4518-445E-8F70-1473F8CF4BA4}
{59DC47A8-116C-11D3-9D8E-00C04F72D980}
{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
{823535A0-0318-11D3-9D8E-00C04F72D980}
{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
{8A674B4C-1F63-11D3-B64C-00C04F79498E}
{8A674B4D-1F63-11D3-B64C-00C04F79498E}
{9CD64701-BDF3-4D14-8E03-F12983D86664}
{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
{A2E3074E-6C3D-11D3-B653-00C04F79498E}
{A2E30750-6C3D-11D3-B653-00C04F79498E}
{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
{AD8E510D-217F-409B-8076-29C5E73B98E8}
{B0EDF163-910A-11D2-B632-00C04F79498E}
{B64016F3-C9A2-4066-96F0-BD9563314726}
{BB530C63-D9DF-4B49-9439-63453962E598}
{C531D9FD-9685-4028-8B68-6E1232079F1E}
{C5702CCC-9B79-11D3-B654-00C04F79498E}
{C5702CCD-9B79-11D3-B654-00C04F79498E}
{C5702CCE-9B79-11D3-B654-00C04F79498E}
{C5702CCF-9B79-11D3-B654-00C04F79498E}
{C5702CD0-9B79-11D3-B654-00C04F79498E}
{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
{D02AAC50-027E-11D3-9D8E-00C04F72D980}
{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
{FA7C375B-66A7-4280-879D-FD459C84BB02}
Note The Class Identifiers and corresponding files where the ActiveX objects
are contained are documented in the table above. Replace
{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier found in
this table.
To set the kill bit for a CLSID with a value of
{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text
editor such as Notepad. Then, save the file by using the .reg file name
extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}]
"Compatibility Flags"=dword:00000400
You can apply this .reg file to individual systems by double-clicking it. You
can also apply it across domains by using Group Policy. For more information
about Group Policy, visit the following Microsoft Web sites:
Please advise, going to be undertaking this shortly, and don't want to screw it
up.
Z
Edward Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
ezi...@lifespan.org
Phone:401-639-3505
-----Original Message-----
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Wednesday, July 08, 2009 10:48 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild
Yes, unfortunately, all our users are admins. It sucks, but I use it
to my advantage when I can.
The reason we've not done a GP is because we haven't had the luxury of
studying to understand them. Our plates always seem to be full with
other things.
On Tue, Jul 7, 2009 at 19:04, Ken Schaefer<k...@adopenstatic.com> wrote:
> Are all your users admins? Otherwise, how is that logon script going to
> update HKLM?
>
> Machine-based startup script would be better idea, no?
>
> Cheers
> Ken
>
> ________________________________________
> From: Kurt Buff [kurt.b...@gmail.com]
> Sent: Wednesday, 8 July 2009 2:41 AM
> To: NT System Admin Issues
> Subject: Re: New IE zero day exploit in the wild
>
> I'm just pushing out the .reg file in the login script:
>
> regedit /s \\fileserver\public\patches\videokillbits.reg
>
> The file was easy to create, in a capable editor (not notepad or
> wordpad) that allows metacharacter search and replace, such as '\n'
> for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> PFE32. I really should switch to VIM, I suppose.
>
> On Tue, Jul 7, 2009 at 08:40, Eric
> Wittersheim<eric.wittersh...@gmail.com> wrote:
>> I'm pushing out the .reg via GP. So far so good.
>>
>> On Tue, Jul 7, 2009 at 10:38 AM, David Lum <david....@nwea.org> wrote:
>>>
>>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is pushing
>>> fine (so far just a few test cases have it, but no issues). Beats trying to
>>> push out a .REG or something...
>>>
>>>
>>>
>>> David Lum // SYSTEMS ENGINEER
>>> NORTHWEST EVALUATION ASSOCIATION
>>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
