Microsoft Internet Explorer does not honor ActiveX kill bit

Overview

Internet Explorer fails to properly check the kill bit for ActiveX controls, which may allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft COM

Microsoft COM is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls.

ActiveX controls

ActiveX controls are COM objects that are designed to be used in Internet Explorer. A web page can make use of an ActiveX control through several means, such as by using an OBJECT tag.

Kill bit

If a security flaw is discovered in an ActiveX control, the control may be disabled in Internet Explorer. This is accomplished by setting the “kill bit” for the control, as described in Microsoft Knowledge Base article 240797. Before instantiating an ActiveX control, Internet Explorer will check the value of the Compatibility Flags registry entry. If the value is DWORD 00000400, Internet Explorer will not use the control.

The problem

A specially crafted HTML document can cause Internet Explorer to skip the kill bit check. This means that any ActiveX control that has been disabled solely through use of the kill bit may still be used by Internet Explorer.

Note that this vulnerability is unrelated to VU#959049 - Multiple COM objects cause memory corruption in Microsoft Internet Explorer.

---

Impact

Depending on which control an attacker uses, the impact will vary. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user (e.g., VU#29795, VU#939605). An attacker may also be able to create or edit arbitrary files (e.g., VU#9162, VU#23412), access local configuration data (e.g. VU#1673), or take other actions.

---

Solution

Apply an update
Install the 905915 update (MS05-054) or a more recent Internet Explorer cumulative security update. The MS05-054 update improves the way that Internet Explorer checks the kill bit.

---

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the document Securing Your Web Browser and the Malicious Web Scripts FAQ.

Note that disabling ActiveX controls in the Internet Zone will reduce the functionality of some web sites.

Use a different web browser

There are a number of significant vulnerabilities in technologies involving the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

---

Vendor Information

998297

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: June 27, 2005 Updated: January 26, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Install the 905915 update (MS05-054) or a more recent Internet Explorer cumulative security update.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23998297 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx&gt;
• <http://support.microsoft.com/kb/240797&gt;
• <http://www.securityfocus.com/bid/16409&gt;

Acknowledgements

This vulnerability was reported by Will Dormann

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2006-0057
Severity Metric:	38.76 Date Public: