Also, the FixIt works under Vista when run interactively.
From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Wednesday, July 08, 2009 12:07 PM To: NT System Admin Issues Subject: RE: New IE zero day exploit in the wild My mistake, I actually did the testing under XP, and David Lum just confirmed in a separate post it doesn't work under XP. Carl From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Wednesday, July 08, 2009 11:50 AM To: NT System Admin Issues Subject: Re: New IE zero day exploit in the wild FixIt was only for XP and 2003 machines not Vista, or did you not read all the way to the bottom of the article? It is possible I missed something though. Jon On Wed, Jul 8, 2009 at 11:13 AM, Carl Houseman <c.house...@gmail.com> wrote: It appears that's what we're left to do on our own. Not sure why MS couldn't just provide us the .reg file ready-to-use. Or for that matter, a .msi file that works with GP. I tried assigning the msfixit .msi in a group policy, but it didn't install (on Vista anyway, didn't test w/XP after that, it worked under Vista when run interactively). My other idea, a custom .adm file to push the settings out, fell flat because a single policy can't affect multiple reg keys with a single enable/disable choice. If I'm wrong about that I'd love to hear how it's done. Carl -----Original Message----- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Wednesday, July 08, 2009 10:57 AM To: NT System Admin Issues Subject: RE: New IE zero day exploit in the wild Question, According to the Microsoft article it looks like you need to add a whole a lot of CSLID's that need the kill bit set, is this what everyone else is doing? So basically adding each one of these CSLID's to a .reg file and then scheduling a bat file to be run at the computer startup like the following? (Call it MSVideofit.bat) :BATFILE Regedit -s MSactiveXVideoFix.reg :MsActiveXVideoFix.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}] "Compatibility Flags"=dword:00000400 ETC ETC (Down the list of CLSIDS below) Then set a Group policy with the computer startup script at the root of your domain, and let it rip. (So servers, workstations etc etc get the fix, you can try it at a small OU level and reg query the registry after the system is booted, to verify that it working The following Class Identifiers relate to Microsoft Video ActiveX Control: Class Identifier {011B3619-FE63-4814-8A84-15A194CE9CE3} {0149EEDF-D08F-4142-8D73-D23903D21E90} {0369B4E5-45B6-11D3-B650-00C04F79498E} {0369B4E6-45B6-11D3-B650-00C04F79498E} {055CB2D7-2969-45CD-914B-76890722F112} {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} {15D6504A-5494-499C-886C-973C9E53B9F1} {1BE49F30-0E1B-11D3-9D8E-00C04F72D980} {1C15D484-911D-11D2-B632-00C04F79498E} {1DF7D126-4050-47F0-A7CF-4C4CA9241333} {2C63E4EB-4CEA-41B8-919C-E947EA19A77C} {334125C0-77E5-11D3-B653-00C04F79498E} {37B0353C-A4C8-11D2-B634-00C04F79498E} {37B03543-A4C8-11D2-B634-00C04F79498E} {37B03544-A4C8-11D2-B634-00C04F79498E} {418008F3-CF67-4668-9628-10DC52BE1D08} {4A5869CF-929D-4040-AE03-FCAFC5B9CD42} {577FAA18-4518-445E-8F70-1473F8CF4BA4} {59DC47A8-116C-11D3-9D8E-00C04F72D980} {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} {823535A0-0318-11D3-9D8E-00C04F72D980} {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} {8A674B4C-1F63-11D3-B64C-00C04F79498E} {8A674B4D-1F63-11D3-B64C-00C04F79498E} {9CD64701-BDF3-4D14-8E03-F12983D86664} {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} {A2E3074E-6C3D-11D3-B653-00C04F79498E} {A2E30750-6C3D-11D3-B653-00C04F79498E} {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE} {AD8E510D-217F-409B-8076-29C5E73B98E8} {B0EDF163-910A-11D2-B632-00C04F79498E} {B64016F3-C9A2-4066-96F0-BD9563314726} {BB530C63-D9DF-4B49-9439-63453962E598} {C531D9FD-9685-4028-8B68-6E1232079F1E} {C5702CCC-9B79-11D3-B654-00C04F79498E} {C5702CCD-9B79-11D3-B654-00C04F79498E} {C5702CCE-9B79-11D3-B654-00C04F79498E} {C5702CCF-9B79-11D3-B654-00C04F79498E} {C5702CD0-9B79-11D3-B654-00C04F79498E} {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7} {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} {D02AAC50-027E-11D3-9D8E-00C04F72D980} {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E} {FA7C375B-66A7-4280-879D-FD459C84BB02} Note The Class Identifiers and corresponding files where the ActiveX objects are contained are documented in the table above. Replace {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier found in this table. To set the kill bit for a CLSID with a value of {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}] "Compatibility Flags"=dword:00000400 You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites: Please advise, going to be undertaking this shortly, and don't want to screw it up. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, July 08, 2009 10:48 AM To: NT System Admin Issues Subject: Re: New IE zero day exploit in the wild Yes, unfortunately, all our users are admins. It sucks, but I use it to my advantage when I can. The reason we've not done a GP is because we haven't had the luxury of studying to understand them. Our plates always seem to be full with other things. On Tue, Jul 7, 2009 at 19:04, Ken Schaefer<k...@adopenstatic.com> wrote: > Are all your users admins? Otherwise, how is that logon script going to update HKLM? > > Machine-based startup script would be better idea, no? > > Cheers > Ken > > ________________________________________ > From: Kurt Buff [kurt.b...@gmail.com] > Sent: Wednesday, 8 July 2009 2:41 AM > To: NT System Admin Issues > Subject: Re: New IE zero day exploit in the wild > > I'm just pushing out the .reg file in the login script: > > regedit /s \\fileserver\public\patches\videokillbits.reg > > The file was easy to create, in a capable editor (not notepad or > wordpad) that allows metacharacter search and replace, such as '\n' > for CRLF and '\t' for tab. I used the ancient, no-longer-supported > PFE32. I really should switch to VIM, I suppose. > > On Tue, Jul 7, 2009 at 08:40, Eric > Wittersheim<eric.wittersh...@gmail.com> wrote: >> I'm pushing out the .reg via GP. So far so good. >> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum <david....@nwea.org> wrote: >>> >>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is pushing >>> fine (so far just a few test cases have it, but no issues). Beats trying to >>> push out a .REG or something... >>> >>> >>> >>> David Lum // SYSTEMS ENGINEER >>> NORTHWEST EVALUATION ASSOCIATION >>> (Desk) 971.222.1025 // (Cell) 503.267.9764 >>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
