# CRITICAL: Workaround for WebView ActiveX vulnerability until the patch is issued



## Zazula (Apr 27, 2006)

*Vulnerability in Windows Shell Could Allow Remote Code Execution*

Microsoft Security Advisory (926043)

*Affected operating systems:*
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition

Scheduled date for the patch being issued: *Oct. 10, 2006*

Interim workaround: Three (3) actions described in MS advisory linked above.


----------



## chauffeur2 (Feb 7, 2006)

Thanks for that Zazula!!
You're better than Microsoft® themselves!!


----------



## Cellus (Aug 31, 2006)

Nah, he just receives Microsoft Security Notification Bulletins. :grin:

However I must admit that few sign up for the bulletins, so these posts are excellent.


----------



## Zazula (Apr 27, 2006)

I changed this thread's classification in the title from "Important" to "Critical", because Microsoft announced today that, contary to the initial assessments, Web sites that attempt to use this vulnerability to perform limited attacks have been eventually discovered.
http://www.microsoft.com/technet/security/advisory/926043.mspx


----------



## fredmh (May 2, 2006)

*Attacks prompt third parties to fix flaw, Microsoft Under Attack Once Again...*

Found in another forum:


Attacks targeting the latest flaw in Microsoft's operating system have convinced two groups to release temporary fixes to protect users while the software giant develops its own patch.

The attacks attempt to exploit the Windows Shell vulnerability acknowledged by Microsoft last week, according to the SANS' Internet Storm Center, which raised its alert level to Yellow after the organization's handlers received reports of a significant number of attacks.

Two groups have published software tools to protect against attacks that attempt to exploit the Windows Shell vulnerability. Security professionals who previously formed the Zeroday Emergency Response Team (ZERT) published on Saturday an update for a custom security tool aimed at protecting users temporarily from the attacks. Security firm Determina has also developed a software patch that will protect users against the attacks.

The ISC does not recommend installing the third-party patches, but instead suggests that users keep their antivirus updated, set the "kill bits" for the ActiveX controls that are currently being exploited to by attackers to get access to the flawed Windows Shell, or switch to a different browser, such as Opera's eponymous browser or Mozilla's Firefox.

Microsoft tells users how to set the kill bits in its security advisory for the issue.

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

One Temp Fix listed below:


Temporarily prevent the Microsoft WebViewFolderIcon ActiveX control from running in Internet Explorer

You can disable attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.

To set the kill bit for a CLSID with a value of {e5df9d10-3b52-11d1-83e8-00a0c90dc849}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

Another Temp Fix Listed Below:


You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

1.In Internet Explorer, click Internet Options on the Tools menu.

2.Click the Security tab.

3.Click Internet, and then click Custom Level.

4.Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.

5.Click Local intranet, and then click Custom Level.

6.Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.

7.Click OK two times to return to Internet Explorer.

Note After you set Internet Explorer to require a prompt before it runs ActiveX controls and/or Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

1.In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

2.In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

3.If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https for all sites in this zone check box.

4.In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

5.Repeat these steps for each site that you want to add to the zone.

6.Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and “*.update.microsoft.com” (without the quotation marks). These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone”.


Third Work Around

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

1.On the Internet Explorer Tools menu, click Internet Options.

2.In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

3.Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Note After you set Internet Explorer to require a prompt before it runs ActiveX controls and/or Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

1.In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

2.In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

3.If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https for all sites in this zone check box.

4.In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

5.Repeat these steps for each site that you want to add to the zone.

6.Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and “*.update.microsoft.com” (without the quotation marks). These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Impact of Workaround: There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone”.


----------



## Zazula (Apr 27, 2006)

Great input, fredmh! :3-thumbup


----------

