ISC reader Juha-Matti Laurio pointed out a new vulnerability note VU#998297, published by US-CERT on January 26, 2006, which states that a malicious website can bypass an ActiveX kill bit by taking advantage of a bug in Internet Explorer.
A kill bit is a registry setting that prevents Internet Explorer from running the corresponding ActiveX control even if the control is installed on the system. It is not uncommon to proactively set kill bits for known malicious ActiveX controls as part of a spyware-prevention effort. For example, the SpywareGuide website provides a freely downloadable .REG file for setting kill bits of many "dubious" ActiveX controls.
The VU#998297 vulnerability demonstrates the limitation of relying on kill bits as the sole mechanism for protection against malicious ActiveX controls.
The US-CERT article implies that this vulnerability was fixed by the MS05-054 patch, which was released in December 2005. Strangely, Microsoft's MS05-054 advisory did not mention any bugs related to kill bits. Perhaps the kill bit flaw is a specific problem related to the COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831), which was covered in MS05-054. Strangely, US-CERT lists a different CVE number (CVE-2006-0057) when discussing the kill bit problem.
So, as far as I can tell, you can address the kill bit vulnerability by installing Microsoft's MS05-054 patch, though I am not quite sure of that.
ISC Handler on Duty
Jan 28th 2006
1 decade ago