Security Settings for ActiveX controls and OLE objects in Office 2003 and in the 2007 Office suite

ID KB2252664
Type mskb
Reporter Microsoft
Modified 2010-08-12T17:06:31


<html><body><p>Resolves the issue on how users can have the ability to control if and how ActiveX controls and OLE objects load with an Office kill-bit list.</p><h2></h2><div class="kb-notice-section section"><span><span class="text-base">Important</span> This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.</span></div><h2>INTRODUCTION</h2><div class="kb-moreinformation-section section">This article contains pre-release documentation and is subject to change in future releases. <br/><br/>This security update lets users control if and how ActiveX controls and OLE objects load with a Microsoft Office kill-bit list. For more information about the Windows Internet Explorer kill-bit behavior that this feature is based on, and this includes how to set AlternateCLSIDs that allow updated ActiveX controls to load, see <a href="" id="kb-link-1" target="self">How to stop an ActiveX control from running in Internet Explorer</a>.<br/><br/>The following advisory article discusses vulnerabilities in the Active Template Library (ATL) that could allow remote code execution. <br/><div class="indent"><a href="" id="kb-link-2">973882 </a> Microsoft Security Advisory: Vulnerabilities in Microsoft Active Template Library (ATL) could allow remote code execution </div><br/>All the features in the advisory article can be used to help reduce these ATL vulnerabilities. Additionally, specific ATL mitigations are discussed in this security update.<br/><br/>This security update applies to Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio. <h3 class="sbody-h3">Office COM Kill Bit</h3>You can also use the Office COM kill bit that was introduced in the security update in MS10-036 to prevent specific COM objects from running within Office applications. These specific COM objects include ActiveX controls and OLE objects. Now, through the registry, you can independently control which ActiveX and OLE objects are blocked from running when you use Office.<br/><br/><span class="text-base">Important notes</span><ul class="sbody-free_list"><li>If the Office COM Kill Bit is set in the registry for an OLE object, the object is not loaded, and the object cannot be loaded in any circumstance.</li><li>In Office 2007, users receive the following error message: <br/><div class="sbody-error"><br/>References to external linked OLE files have been blocked. <br/></div></li><li>In Office 2003, users receive the following error message:<br/><div class="sbody-error">Attempt to create a class object failed. Access Denied.<br/></div><br/></li></ul><br/>To determine which CLSID is failing to load, use the <a href="" id="kb-link-3" target="_self">Process Monitor</a> from TechNet. Look for the Internet Explorer kill-bit setting in the Process Monitor log file. <div class="indent"><strong class="sbody-strong">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\<CLSID></strong></div><br/><span class="text-base">Note</span> We do not recommend that you remove the kill bit that is set for a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical, and because of this, extreme care must be used when you unkill an ActiveX control. <br/><br/>You can add an AlternateCLSID (also known as a “Phoenix bit”) when you have to relate the CLSID of a new ActiveX control (and this ActiveX control was modified to reduce the security threat), to the CLSID of the ActiveX control to which the Office COM kill bit was applied. Office supports the AlternateCLSID only when ActiveX control COM objects are used. <br/><br/><span class="text-base">Note </span>The kill-bit list for Office takes precedence over the kill-bit list for Internet Explorer. For example, the Office COM kill bit and Internet Explorer ActiveX kill bit may be set for the same ActiveX control. But the AlternateCLSID is only set on the list for Internet Explorer. In this scenario, there is a conflict between the two settings. In such instances, the Office COM kill-bit settings take precedence, and the control is not loaded.<h3 class="sbody-h3">Setting the Office COM Kill Bit</h3><span><span class="text-base">Important</span>This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: <div class="indent"><a href="" id="kb-link-4">322756 </a>How to back up and restore the registry in Windows </div></span>The location for setting the Office COM kill bit in the registry is as follows: <br/><div class="indent">HKEY_LOCAL_MACHINE/Software/Microsoft/Office/Common/COM Compatibility/{<span class="sbody-italic">CLSID</span>}</div>In this case, <strong class="sbody-strong">CLSID </strong>is the class identifier of the COM object. To enable the Office COM kill bit, you have to add the registry subkey together with the CLSID of the ActiveX control or OLE object that you want to block from loading. Also, you have to set the Compatibility Flag's REG_DWORD value to 0x00000400. <br/><br/>For example, to set the Office COM kill bit for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24}, locate the following subkey, and add REG_SZ {77061A9C-2F18-4f38-B294-F6BCC8443D24} to the subkey: <div class="indent"><strong class="sbody-strong"> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility</strong></div>In this case, the path is as follows: <div class="indent"><strong class="sbody-strong">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility{77061A9C-2F18-4f38-B294-F6BCC8443D24}<br/></strong></div>When you add a subkey that contains the value of 0x00000400 to the {CLSID} key, the Office COM kill bit is set. The 64-bit and 32-bit objects and their kill bits are located in different registry locations. <br/><br/> For more information, visit the following Microsoft webpage to see the Kill-Bit FAQ: <br/><br/><div class="indent"><a href="" id="kb-link-5" target="_self">The Kill-Bit FAQ: Part 1 of 3</a></div><h3 class="sbody-h3">How to override the Internet Explorer kill-bit list for OLE objects</h3>The Override IE kill-bit list option lets you specifically list which OLE objects on the Internet Explorer kill-bit list are permitted to be loaded within Office. Use the Override IE kill-bit list only if you know that the OLE object is safe to load in Office. Be aware that when Office checks the Override IE kill-bit list setting, Office also checks whether the Office COM kill bit is enabled. If the Office COM kill bit is enabled, the OLE object is not loaded. <br/><br/>To enable the Override IE kill-bit list option, you must correctly categorize the OLE object. In the registry, if the subkey does not already exist, add a subkey that is called Implemented Categories to the CLSID of the COM object. Then, add a subkey that contains the Category ID (CATID) for OLE objects, {F3E0281E-C257-444E-87E7-F3DC29B62BBD}, to the Implemented Categories key. <br/><br/>For example, Internet Explorer may be set up to kill an OLE object, but you still want to use this object in Office. In this case, you must first look up the CLSID for that OLE object in the following location in the registry: <div class="indent"><strong class="sbody-strong">HKEY_CLASSES_ROOT\CLSID<br/></strong></div>For example, the CLSID for the Microsoft Graph Chart is {00020803-0000-0000-C000-000000000046}. Then, you must determine whether the key, Implemented Categories, already exists, or you must create the key if it does not exist. In this example, the path is as follows:<div class="indent"><strong class="sbody-strong">HKEY_CLASSES_ROOT\CLSID{00020803-0000-0000-C000-000000000046}\Implemented Categories<br/></strong></div>Finally, add a new subkey for the CATID OLE object to the Implemented Categories key. The following is the path for this example:<div class="indent"><strong class="sbody-strong">HKEY_CLASSES_ROOT\CLSID{00020803-0000-0000-C000-000000000046}\Implemented Categories{F3E0281E-C257-444E-87E7-F3DC29B62BBD}<br/></strong></div><br/><span class="text-base">Note</span> The Category ID (CATID) for OLE objects is {F3E0281E-C257-444E-87E7-F3DC29B62BBD}, and the braces ( { } ) must be included. <h3 class="sbody-h3">How to disable ATL mitigations</h3>When the ATL mitigations are enabled, controls that use OleLoadFromStreamsuch are prevented from functioning and control information is lost. For example, VB6/Windows common controls are affected by this issue. <br/><br/><span class="text-base">Warning </span><span> This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.</span><br/><br/>We do not recommend that you disable the ATL mitigations unless it is absolutely necessary because these ATL mitigations cover a broad scope. If you disable the ATL mitigations, you might create security vulnerabilities. If you do disable the ATL mitigations, we recommend that you do not open Microsoft Office files that you receive from untrusted sources or that you unexpectedly receive from trusted sources. <br/><br/>To disable the mitigations that reference the ATL vulnerabilities, set the NoOLELoadFromStreamChecks REG_DWORD to a value of 00000001 in the following registry subkey:<br/><br/><div class="indent"><strong class="sbody-strong">HKEY_CURRENT_USER/Software/Microsoft/Office/Common/Security</strong></div><br/><span class="text-base">Note</span> If this registry subkey does not exist, you must create this registry subkey as a REG_DWORD type.<br/><br/><h3 class="sbody-h3">Disable scriplet controls for Office applications</h3>After this security update is installed, you can disable scriptlets for Office applications and the Internet Explorer behavior is not changed.<br/><br/>To disable scriptlets for Office applications, set the Compatibility Flag's REG_DWORD value to 00000400 in the following registry subkey:<br/><br/><div class="indent"><strong class="sbody-strong">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility{AE24FDAE-03C6-11D1-8B76-0080C744F389}</strong></div><br/>The following is a list of other controls that you may want to consider putting onto the Office deny list:<br/><div class="table-responsive"><table class="sbody-table table"><tr class="sbody-tr"><th class="sbody-th">Control</th><th class="sbody-th">CLISD</th></tr><tr class="sbody-tr"><td class="sbody-td">Microsoft HTA Document 6.0</td><td class="sbody-td">{3050F5C8-98B5-11CF-BB82-00AA00BDCE0B}</td></tr><tr class="sbody-tr"><td class="sbody-td">htmlfile </td><td class="sbody-td">{25336920-03F9-11CF-8FD0-00AA00686F13}</td></tr><tr class="sbody-tr"><td class="sbody-td">htmlfile_FullWindowEmbed </td><td class="sbody-td">{25336921-03F9-11CF-8FD0-00AA00686F13}</td></tr><tr class="sbody-tr"><td class="sbody-td">mhtmlfile </td><td class="sbody-td">{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}</td></tr><tr class="sbody-tr"><td class="sbody-td">Web Browswer Control </td><td class="sbody-td">{8856F961-340A-11D0-A96B-00C04FD705A2}</td></tr><tr class="sbody-tr"><td class="sbody-td">DHTMLEdit </td><td class="sbody-td">{2D360200-FFF5-11D1-8D03-00A0C959BC0A}</td></tr></table></div></div></body></html>