This is a vulnerability alert from the Sans Institute, published today - 1/30/06.
Subject: ActiveX Kill Bit Can Be Bypassed
A kill bit is a registry setting that prevents Internet Explorer from running the corresponding ActiveX control even if the control is installed on the system. It is not uncommon to proactively set kill bits for known malicious ActiveX controls as part of a spyware-prevention effort. For example, the SpywareGuide website provides a freely downloadable .REG file for setting kill bits of many "dubious" ActiveX controls.
The VU#998297 vulnerability demonstrates the limitation of relying on kill bits as the sole mechanism for protection against malicious ActiveX controls.
The US-CERT article implies that this vulnerability was fixed by the MS05-054 patch, which was released in December 2005. Strangely, Microsoft's MS05-054 advisory did not mention any bugs related to kill bits. Perhaps the kill bit flaw is a specific problem related to the COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831), which was covered in MS05-054. Strangely, US-CERT lists a different CVE number (CVE-2006-0057) when discussing the kill bit problem.
So, as far as I can tell, you can address the kill bit vulnerability by installing Microsoft's MS05-054 patch, though I am not quite sure of that.
Update: The MS05-054 bulletin contains the following phrase, which reinforces the theory that this patch addresses the kill bit vulnerability: "This cumulative security update also includes the checks that were introduced in Microsoft Security Bulletin MS05-052 before a COM object is allowed to run in Internet Explorer. The intent of this change is to prevent COM objects that were not designed to be instantiated in Internet Explorer from being instantiated in Internet Explorer."
Source: http://isc.sans.org/diary.php?storyid=1078
Hopefully, all of our members have already applied the December and January Critical Patches from Microsoft. If you have not done so your comnputers are seriously vulnerable to numerous attack vectors.
Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability.
Note that disabling ActiveX controls in the Internet Zone will reduce the functionality of some web sites.
Alternately, use another browser like Firefox or Opera, which do not recognize ActiveX at all.
You can read about most of the current security and virus advisories on my own security alerts page, in the RSS newsfeeds section of the page.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage[This message was edited by Wiz Feinberg on 30 January 2006 at 09:35 PM.]
