I have it (and the cmd file that calls it) in the netlogon share on my DC's. Here is a sample line form the CMD file: %SystemRoot%\system32\cscript /nologo %logonserver%\netlogon\SlayOCX.vbs -k 011B3619-FE63-4814-8A84-15A194CE9CE3 -l
I guess I forgot to mention the best part about this script is that you can undo the killbit by changing the -k parameter to -r so you have a simple way to undo it if you want. .Tim > -----Original Message----- > From: Richard Stovall [mailto:richard.stov...@researchdata.com] > Sent: Wednesday, July 08, 2009 8:47 AM > To: NT System Admin Issues > Subject: RE: New IE zero day exploit in the wild > > Couple of questions about this: > > Where does the slayocx.vbs (that gets called by your .cmd file) live? > > Is it trivial to change the log location from "SystemDrive" to a network > share? (LogFileName = WshEnv("SystemDrive") & "\SlayOCX.log") > > Thanks, > RS > > -----Original Message----- > From: Tim Evans [mailto:tev...@sparling.com] > Sent: Wednesday, July 08, 2009 11:18 AM > To: NT System Admin Issues > Subject: RE: New IE zero day exploit in the wild > > A while back, Jesper Johansson published a VBScript that helps with > this. > http://msinfluentials.com/blogs/jesper/archive/2006/09/29/Set-KillBit- > on-Arbitrary-ActiveX-Controls-with-Group-Policy.aspx > It writes a log file in the root of the users C: drive that indicates > success or failure or not found. I've got a CMD file that consists of > nothing but a bunch of slayocx.vbs commands. > > .Tim > > > > -----Original Message----- > > From: Ziots, Edward [mailto:ezi...@lifespan.org] > > Sent: Wednesday, July 08, 2009 7:57 AM > > To: NT System Admin Issues > > Subject: RE: New IE zero day exploit in the wild > > > > Question, > > > > According to the Microsoft article it looks like you need to add a > whole > > a lot of CSLID's that need the kill bit set, is this what everyone > else > > is doing? So basically adding each one of these CSLID's to a .reg file > > and then scheduling a bat file to be run at the computer startup like > > the following? > > > > (Call it MSVideofit.bat) > > :BATFILE > > Regedit -s MSactiveXVideoFix.reg > > > > :MsActiveXVideoFix.reg > > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX > > Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}] > > "Compatibility Flags"=dword:00000400 > > > > ETC ETC (Down the list of CLSIDS below) > > > > Then set a Group policy with the computer startup script at the root > of > > your domain, and let it rip. (So servers, workstations etc etc get the > > fix, you can try it at a small OU level and reg query the registry > after > > the system is booted, to verify that it working > > > > The following Class Identifiers relate to Microsoft Video ActiveX > > Control: > > > > Class Identifier > > {011B3619-FE63-4814-8A84-15A194CE9CE3} > > > > {0149EEDF-D08F-4142-8D73-D23903D21E90} > > > > {0369B4E5-45B6-11D3-B650-00C04F79498E} > > > > {0369B4E6-45B6-11D3-B650-00C04F79498E} > > > > {055CB2D7-2969-45CD-914B-76890722F112} > > > > {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} > > > > {15D6504A-5494-499C-886C-973C9E53B9F1} > > > > {1BE49F30-0E1B-11D3-9D8E-00C04F72D980} > > > > {1C15D484-911D-11D2-B632-00C04F79498E} > > > > {1DF7D126-4050-47F0-A7CF-4C4CA9241333} > > > > {2C63E4EB-4CEA-41B8-919C-E947EA19A77C} > > > > {334125C0-77E5-11D3-B653-00C04F79498E} > > > > {37B0353C-A4C8-11D2-B634-00C04F79498E} > > > > {37B03543-A4C8-11D2-B634-00C04F79498E} > > > > {37B03544-A4C8-11D2-B634-00C04F79498E} > > > > {418008F3-CF67-4668-9628-10DC52BE1D08} > > > > {4A5869CF-929D-4040-AE03-FCAFC5B9CD42} > > > > {577FAA18-4518-445E-8F70-1473F8CF4BA4} > > > > {59DC47A8-116C-11D3-9D8E-00C04F72D980} > > > > {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} > > > > {823535A0-0318-11D3-9D8E-00C04F72D980} > > > > {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} > > > > {8A674B4C-1F63-11D3-B64C-00C04F79498E} > > > > {8A674B4D-1F63-11D3-B64C-00C04F79498E} > > > > {9CD64701-BDF3-4D14-8E03-F12983D86664} > > > > {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} > > > > {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} > > > > {A2E3074E-6C3D-11D3-B653-00C04F79498E} > > > > {A2E30750-6C3D-11D3-B653-00C04F79498E} > > > > {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE} > > > > {AD8E510D-217F-409B-8076-29C5E73B98E8} > > > > {B0EDF163-910A-11D2-B632-00C04F79498E} > > > > {B64016F3-C9A2-4066-96F0-BD9563314726} > > > > {BB530C63-D9DF-4B49-9439-63453962E598} > > > > {C531D9FD-9685-4028-8B68-6E1232079F1E} > > > > {C5702CCC-9B79-11D3-B654-00C04F79498E} > > > > {C5702CCD-9B79-11D3-B654-00C04F79498E} > > > > {C5702CCE-9B79-11D3-B654-00C04F79498E} > > > > {C5702CCF-9B79-11D3-B654-00C04F79498E} > > > > {C5702CD0-9B79-11D3-B654-00C04F79498E} > > > > {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7} > > > > {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} > > > > {D02AAC50-027E-11D3-9D8E-00C04F72D980} > > > > {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E} > > > > {FA7C375B-66A7-4280-879D-FD459C84BB02} > > > > > > Note The Class Identifiers and corresponding files where the ActiveX > > objects are contained are documented in the table above. Replace > > {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier > > found in this table. > > > > To set the kill bit for a CLSID with a value of {XXXXXXXX-XXXX-XXXX- > > XXXX-XXXXXXXXXXXX}, paste the following text in a text editor such as > > Notepad. Then, save the file by using the .reg file name extension. > > > > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX > > Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}] > > "Compatibility Flags"=dword:00000400 > > > > You can apply this .reg file to individual systems by double-clicking > > it. You can also apply it across domains by using Group Policy. For > more > > information about Group Policy, visit the following Microsoft Web > sites: > > > > > > Please advise, going to be undertaking this shortly, and don't want to > > screw it up. > > > > Z > > > > > > Edward Ziots > > Network Engineer > > Lifespan Organization > > MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + > > ezi...@lifespan.org > > Phone:401-639-3505 > > -----Original Message----- > > From: Kurt Buff [mailto:kurt.b...@gmail.com] > > Sent: Wednesday, July 08, 2009 10:48 AM > > To: NT System Admin Issues > > Subject: Re: New IE zero day exploit in the wild > > > > Yes, unfortunately, all our users are admins. It sucks, but I use it > > to my advantage when I can. > > > > The reason we've not done a GP is because we haven't had the luxury of > > studying to understand them. Our plates always seem to be full with > > other things. > > > > On Tue, Jul 7, 2009 at 19:04, Ken Schaefer<k...@adopenstatic.com> > wrote: > > > Are all your users admins? Otherwise, how is that logon script going > > to update HKLM? > > > > > > Machine-based startup script would be better idea, no? > > > > > > Cheers > > > Ken > > > > > > ________________________________________ > > > From: Kurt Buff [kurt.b...@gmail.com] > > > Sent: Wednesday, 8 July 2009 2:41 AM > > > To: NT System Admin Issues > > > Subject: Re: New IE zero day exploit in the wild > > > > > > I'm just pushing out the .reg file in the login script: > > > > > > regedit /s \\fileserver\public\patches\videokillbits.reg > > > > > > The file was easy to create, in a capable editor (not notepad or > > > wordpad) that allows metacharacter search and replace, such as '\n' > > > for CRLF and '\t' for tab. I used the ancient, no-longer-supported > > > PFE32. I really should switch to VIM, I suppose. > > > > > > On Tue, Jul 7, 2009 at 08:40, Eric > > > Wittersheim<eric.wittersh...@gmail.com> wrote: > > >> I'm pushing out the .reg via GP. So far so good. > > >> > > >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum <david....@nwea.org> > > wrote: > > >>> > > >>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is > > pushing > > >>> fine (so far just a few test cases have it, but no issues). Beats > > trying to > > >>> push out a .REG or something... > > >>> > > >>> > > >>> > > >>> David Lum // SYSTEMS ENGINEER > > >>> NORTHWEST EVALUATION ASSOCIATION > > >>> (Desk) 971.222.1025 // (Cell) 503.267.9764 > > >>> > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
