Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: GUI Killbit App Available SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
GUI Killbit App Available

I've put together a GUI killbit app that should easily allow you to set and clear the killbits for the ActiveX issues announced today.  It works like this:

  1. It first checks to see if any of the CLSIDs exist on your system
  2. If they do, it saves a copy of any values that you currently have set for "Compatibility Flags."
  3. It then updates its display to show you if the CLSID exists and if the killbit flag is set.
  4. To set the killbit, just check the box beside any ActiveX control that you want to keep from running and then click on the "Set" button.
  5. Our suggestion: set the killbit on all of the ActiveX control unless you have a really good reason for not setting it.  Set the killbit even if you don't currently have the CLSID on your machine (indicating that the ActiveX control isn't currently installed... you never know when they MIGHT get installed...)
  6. Keep a copy of this program around (or at least remember where you got it) in case you want to undo the settings.
  7. Unchecking a checked box and clicking on "Set" will either remove the CLSID completely (if it wasn't there to begin with) or will reset "Compatibility Flags" to its original value.

The GUI version can be downloaded here.
(KillBitGui-Feb08.exe - 4096 bytes - MD5: 078ea6941a9ffab66d9db98ef49f8e1c)

I'll try to put together a command-line version of this program this evening and make it available here tomorrow (U.S. time...).

Tom Liston - Senior Security Consultant - Intelguardians


160 Posts
Feb 5th 2008

Sign Up for Free or Log In to start participating in the conversation!