FixIt was only for XP and 2003 machines not Vista, or did you not read all the way to the bottom of the article? It is possible I missed something though.
Jon On Wed, Jul 8, 2009 at 11:13 AM, Carl Houseman <c.house...@gmail.com> wrote: > It appears that's what we're left to do on our own. Not sure why MS > couldn't just provide us the .reg file ready-to-use. Or for that matter, a > .msi file that works with GP. I tried assigning the msfixit .msi in a > group > policy, but it didn't install (on Vista anyway, didn't test w/XP after > that, > it worked under Vista when run interactively). > > My other idea, a custom .adm file to push the settings out, fell flat > because a single policy can't affect multiple reg keys with a single > enable/disable choice. If I'm wrong about that I'd love to hear how it's > done. > > Carl > > -----Original Message----- > From: Ziots, Edward [mailto:ezi...@lifespan.org] > Sent: Wednesday, July 08, 2009 10:57 AM > To: NT System Admin Issues > Subject: RE: New IE zero day exploit in the wild > > Question, > > According to the Microsoft article it looks like you need to add a whole a > lot of CSLID's that need the kill bit set, is this what everyone else is > doing? So basically adding each one of these CSLID's to a .reg file and > then > scheduling a bat file to be run at the computer startup like the following? > > (Call it MSVideofit.bat) > :BATFILE > Regedit -s MSactiveXVideoFix.reg > > :MsActiveXVideoFix.reg > Windows Registry Editor Version 5.00 > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX > Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}] > "Compatibility Flags"=dword:00000400 > > ETC ETC (Down the list of CLSIDS below) > > Then set a Group policy with the computer startup script at the root of > your > domain, and let it rip. (So servers, workstations etc etc get the fix, you > can try it at a small OU level and reg query the registry after the system > is booted, to verify that it working > > The following Class Identifiers relate to Microsoft Video ActiveX Control: > > Class Identifier > {011B3619-FE63-4814-8A84-15A194CE9CE3} > > {0149EEDF-D08F-4142-8D73-D23903D21E90} > > {0369B4E5-45B6-11D3-B650-00C04F79498E} > > {0369B4E6-45B6-11D3-B650-00C04F79498E} > > {055CB2D7-2969-45CD-914B-76890722F112} > > {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} > > {15D6504A-5494-499C-886C-973C9E53B9F1} > > {1BE49F30-0E1B-11D3-9D8E-00C04F72D980} > > {1C15D484-911D-11D2-B632-00C04F79498E} > > {1DF7D126-4050-47F0-A7CF-4C4CA9241333} > > {2C63E4EB-4CEA-41B8-919C-E947EA19A77C} > > {334125C0-77E5-11D3-B653-00C04F79498E} > > {37B0353C-A4C8-11D2-B634-00C04F79498E} > > {37B03543-A4C8-11D2-B634-00C04F79498E} > > {37B03544-A4C8-11D2-B634-00C04F79498E} > > {418008F3-CF67-4668-9628-10DC52BE1D08} > > {4A5869CF-929D-4040-AE03-FCAFC5B9CD42} > > {577FAA18-4518-445E-8F70-1473F8CF4BA4} > > {59DC47A8-116C-11D3-9D8E-00C04F72D980} > > {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} > > {823535A0-0318-11D3-9D8E-00C04F72D980} > > {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} > > {8A674B4C-1F63-11D3-B64C-00C04F79498E} > > {8A674B4D-1F63-11D3-B64C-00C04F79498E} > > {9CD64701-BDF3-4D14-8E03-F12983D86664} > > {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} > > {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} > > {A2E3074E-6C3D-11D3-B653-00C04F79498E} > > {A2E30750-6C3D-11D3-B653-00C04F79498E} > > {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE} > > {AD8E510D-217F-409B-8076-29C5E73B98E8} > > {B0EDF163-910A-11D2-B632-00C04F79498E} > > {B64016F3-C9A2-4066-96F0-BD9563314726} > > {BB530C63-D9DF-4B49-9439-63453962E598} > > {C531D9FD-9685-4028-8B68-6E1232079F1E} > > {C5702CCC-9B79-11D3-B654-00C04F79498E} > > {C5702CCD-9B79-11D3-B654-00C04F79498E} > > {C5702CCE-9B79-11D3-B654-00C04F79498E} > > {C5702CCF-9B79-11D3-B654-00C04F79498E} > > {C5702CD0-9B79-11D3-B654-00C04F79498E} > > {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7} > > {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} > > {D02AAC50-027E-11D3-9D8E-00C04F72D980} > > {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E} > > {FA7C375B-66A7-4280-879D-FD459C84BB02} > > > Note The Class Identifiers and corresponding files where the ActiveX > objects > are contained are documented in the table above. Replace > {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier > found > in this table. > > To set the kill bit for a CLSID with a value of > {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text > editor such as Notepad. Then, save the file by using the .reg file name > extension. > > Windows Registry Editor Version 5.00 > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX > Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}] > "Compatibility Flags"=dword:00000400 > > You can apply this .reg file to individual systems by double-clicking it. > You can also apply it across domains by using Group Policy. For more > information about Group Policy, visit the following Microsoft Web sites: > > > Please advise, going to be undertaking this shortly, and don't want to > screw > it up. > > Z > > > Edward Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + > ezi...@lifespan.org > Phone:401-639-3505 > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Wednesday, July 08, 2009 10:48 AM > To: NT System Admin Issues > Subject: Re: New IE zero day exploit in the wild > > Yes, unfortunately, all our users are admins. It sucks, but I use it > to my advantage when I can. > > The reason we've not done a GP is because we haven't had the luxury of > studying to understand them. Our plates always seem to be full with > other things. > > On Tue, Jul 7, 2009 at 19:04, Ken Schaefer<k...@adopenstatic.com> wrote: > > Are all your users admins? Otherwise, how is that logon script going to > update HKLM? > > > > Machine-based startup script would be better idea, no? > > > > Cheers > > Ken > > > > ________________________________________ > > From: Kurt Buff [kurt.b...@gmail.com] > > Sent: Wednesday, 8 July 2009 2:41 AM > > To: NT System Admin Issues > > Subject: Re: New IE zero day exploit in the wild > > > > I'm just pushing out the .reg file in the login script: > > > > regedit /s \\fileserver\public\patches\videokillbits.reg > > > > The file was easy to create, in a capable editor (not notepad or > > wordpad) that allows metacharacter search and replace, such as '\n' > > for CRLF and '\t' for tab. I used the ancient, no-longer-supported > > PFE32. I really should switch to VIM, I suppose. > > > > On Tue, Jul 7, 2009 at 08:40, Eric > > Wittersheim<eric.wittersh...@gmail.com> wrote: > >> I'm pushing out the .reg via GP. So far so good. > >> > >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum <david....@nwea.org> wrote: > >>> > >>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is > pushing > >>> fine (so far just a few test cases have it, but no issues). Beats > trying > to > >>> push out a .REG or something... > >>> > >>> > >>> > >>> David Lum // SYSTEMS ENGINEER > >>> NORTHWEST EVALUATION ASSOCIATION > >>> (Desk) 971.222.1025 // (Cell) 503.267.9764 > >>> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~