Re: New IE zero day exploit in the wild

Wed, 08 Jul 2009 08:03:26 -0700 

I didn't create a batch file I just created a reg file with all the lines
like below.  Then I created a new GP and applied it to the OU.  In the GP I
run the reg file in the computer start up script with the /s argument.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}]
"Compatibility Flags"=dword:00000400

On Wed, Jul 8, 2009 at 9:56 AM, Ziots, Edward <ezi...@lifespan.org> wrote:

> Question,
>
> According to the Microsoft article it looks like you need to add a whole a
> lot of CSLID's that need the kill bit set, is this what everyone else is
> doing? So basically adding each one of these CSLID's to a .reg file and then
> scheduling a bat file to be run at the computer startup like the following?
>
> (Call it MSVideofit.bat)
> :BATFILE
> Regedit -s MSactiveXVideoFix.reg
>
> :MsActiveXVideoFix.reg
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
> "Compatibility Flags"=dword:00000400
>
> ETC ETC (Down the list of CLSIDS below)
>
> Then set a Group policy with the computer startup script at the root of
> your domain, and let it rip. (So servers, workstations etc etc get the fix,
> you can try it at a small OU level and reg query the registry after the
> system is booted, to verify that it working
>
> The following Class Identifiers relate to Microsoft Video ActiveX Control:
>
> Class Identifier
> {011B3619-FE63-4814-8A84-15A194CE9CE3}
>
> {0149EEDF-D08F-4142-8D73-D23903D21E90}
>
> {0369B4E5-45B6-11D3-B650-00C04F79498E}
>
> {0369B4E6-45B6-11D3-B650-00C04F79498E}
>
> {055CB2D7-2969-45CD-914B-76890722F112}
>
> {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
>
> {15D6504A-5494-499C-886C-973C9E53B9F1}
>
> {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
>
> {1C15D484-911D-11D2-B632-00C04F79498E}
>
> {1DF7D126-4050-47F0-A7CF-4C4CA9241333}
>
> {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
>
> {334125C0-77E5-11D3-B653-00C04F79498E}
>
> {37B0353C-A4C8-11D2-B634-00C04F79498E}
>
> {37B03543-A4C8-11D2-B634-00C04F79498E}
>
> {37B03544-A4C8-11D2-B634-00C04F79498E}
>
> {418008F3-CF67-4668-9628-10DC52BE1D08}
>
> {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
>
> {577FAA18-4518-445E-8F70-1473F8CF4BA4}
>
> {59DC47A8-116C-11D3-9D8E-00C04F72D980}
>
> {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
>
> {823535A0-0318-11D3-9D8E-00C04F72D980}
>
> {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
>
> {8A674B4C-1F63-11D3-B64C-00C04F79498E}
>
> {8A674B4D-1F63-11D3-B64C-00C04F79498E}
>
> {9CD64701-BDF3-4D14-8E03-F12983D86664}
>
> {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
>
> {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
>
> {A2E3074E-6C3D-11D3-B653-00C04F79498E}
>
> {A2E30750-6C3D-11D3-B653-00C04F79498E}
>
> {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
>
> {AD8E510D-217F-409B-8076-29C5E73B98E8}
>
> {B0EDF163-910A-11D2-B632-00C04F79498E}
>
> {B64016F3-C9A2-4066-96F0-BD9563314726}
>
> {BB530C63-D9DF-4B49-9439-63453962E598}
>
> {C531D9FD-9685-4028-8B68-6E1232079F1E}
>
> {C5702CCC-9B79-11D3-B654-00C04F79498E}
>
> {C5702CCD-9B79-11D3-B654-00C04F79498E}
>
> {C5702CCE-9B79-11D3-B654-00C04F79498E}
>
> {C5702CCF-9B79-11D3-B654-00C04F79498E}
>
> {C5702CD0-9B79-11D3-B654-00C04F79498E}
>
> {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
>
> {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
>
> {D02AAC50-027E-11D3-9D8E-00C04F72D980}
>
> {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
>
> {FA7C375B-66A7-4280-879D-FD459C84BB02}
>
>
> Note The Class Identifiers and corresponding files where the ActiveX
> objects are contained are documented in the table above. Replace
> {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier found
> in this table.
>
> To set the kill bit for a CLSID with a value of
> {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text
> editor such as Notepad. Then, save the file by using the .reg file name
> extension.
>
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}]
> "Compatibility Flags"=dword:00000400
>
> You can apply this .reg file to individual systems by double-clicking it.
> You can also apply it across domains by using Group Policy. For more
> information about Group Policy, visit the following Microsoft Web sites:
>
>
> Please advise, going to be undertaking this shortly, and don't want to
> screw it up.
>
> Z
>
>
> Edward Ziots
> Network Engineer
> Lifespan Organization
> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
> ezi...@lifespan.org
> Phone:401-639-3505
> -----Original Message-----
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Wednesday, July 08, 2009 10:48 AM
> To: NT System Admin Issues
> Subject: Re: New IE zero day exploit in the wild
>
> Yes, unfortunately, all our users are admins. It sucks, but I use it
> to my advantage when I can.
>
> The reason we've not done a GP is because we haven't had the luxury of
> studying to understand them. Our plates always seem to be full with
> other things.
>
> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer<k...@adopenstatic.com> wrote:
> > Are all your users admins? Otherwise, how is that logon script going to
> update HKLM?
> >
> > Machine-based startup script would be better idea, no?
> >
> > Cheers
> > Ken
> >
> > ________________________________________
> > From: Kurt Buff [kurt.b...@gmail.com]
> > Sent: Wednesday, 8 July 2009 2:41 AM
> > To: NT System Admin Issues
> > Subject: Re: New IE zero day exploit in the wild
> >
> > I'm just pushing out the .reg file in the login script:
> >
> >     regedit /s \\fileserver\public\patches\videokillbits.reg
> >
> > The file was easy to create, in a capable editor (not notepad or
> > wordpad) that allows metacharacter search and replace, such as '\n'
> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> > PFE32. I really should switch to VIM, I suppose.
> >
> > On Tue, Jul 7, 2009 at 08:40, Eric
> > Wittersheim<eric.wittersh...@gmail.com> wrote:
> >> I'm pushing out the .reg via GP.  So far so good.
> >>
> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum <david....@nwea.org> wrote:
> >>>
> >>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is
> pushing
> >>> fine (so far just a few test cases have it, but no issues). Beats
> trying to
> >>> push out a .REG or something...
> >>>
> >>>
> >>>
> >>> David Lum // SYSTEMS ENGINEER
> >>> NORTHWEST EVALUATION ASSOCIATION
> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
> >>>
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to