So basically you are just uploading the reg file to the computer startup script and the command you are invoking is regedit /s name_of_script ? I thought you needed to put a batch file in the computer startup script area to get that to work.
Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Eric Wittersheim [mailto:[email protected]] Sent: Wednesday, July 08, 2009 11:03 AM To: NT System Admin Issues Subject: Re: New IE zero day exploit in the wild I didn't create a batch file I just created a reg file with all the lines like below. Then I created a new GP and applied it to the OU. In the GP I run the reg file in the computer start up script with the /s argument. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}] "Compatibility Flags"=dword:00000400 On Wed, Jul 8, 2009 at 9:56 AM, Ziots, Edward <[email protected]> wrote: Question, According to the Microsoft article it looks like you need to add a whole a lot of CSLID's that need the kill bit set, is this what everyone else is doing? So basically adding each one of these CSLID's to a .reg file and then scheduling a bat file to be run at the computer startup like the following? (Call it MSVideofit.bat) :BATFILE Regedit -s MSactiveXVideoFix.reg :MsActiveXVideoFix.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}] "Compatibility Flags"=dword:00000400 ETC ETC (Down the list of CLSIDS below) Then set a Group policy with the computer startup script at the root of your domain, and let it rip. (So servers, workstations etc etc get the fix, you can try it at a small OU level and reg query the registry after the system is booted, to verify that it working The following Class Identifiers relate to Microsoft Video ActiveX Control: Class Identifier {011B3619-FE63-4814-8A84-15A194CE9CE3} {0149EEDF-D08F-4142-8D73-D23903D21E90} {0369B4E5-45B6-11D3-B650-00C04F79498E} {0369B4E6-45B6-11D3-B650-00C04F79498E} {055CB2D7-2969-45CD-914B-76890722F112} {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} {15D6504A-5494-499C-886C-973C9E53B9F1} {1BE49F30-0E1B-11D3-9D8E-00C04F72D980} {1C15D484-911D-11D2-B632-00C04F79498E} {1DF7D126-4050-47F0-A7CF-4C4CA9241333} {2C63E4EB-4CEA-41B8-919C-E947EA19A77C} {334125C0-77E5-11D3-B653-00C04F79498E} {37B0353C-A4C8-11D2-B634-00C04F79498E} {37B03543-A4C8-11D2-B634-00C04F79498E} {37B03544-A4C8-11D2-B634-00C04F79498E} {418008F3-CF67-4668-9628-10DC52BE1D08} {4A5869CF-929D-4040-AE03-FCAFC5B9CD42} {577FAA18-4518-445E-8F70-1473F8CF4BA4} {59DC47A8-116C-11D3-9D8E-00C04F72D980} {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} {823535A0-0318-11D3-9D8E-00C04F72D980} {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} {8A674B4C-1F63-11D3-B64C-00C04F79498E} {8A674B4D-1F63-11D3-B64C-00C04F79498E} {9CD64701-BDF3-4D14-8E03-F12983D86664} {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} {A2E3074E-6C3D-11D3-B653-00C04F79498E} {A2E30750-6C3D-11D3-B653-00C04F79498E} {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE} {AD8E510D-217F-409B-8076-29C5E73B98E8} {B0EDF163-910A-11D2-B632-00C04F79498E} {B64016F3-C9A2-4066-96F0-BD9563314726} {BB530C63-D9DF-4B49-9439-63453962E598} {C531D9FD-9685-4028-8B68-6E1232079F1E} {C5702CCC-9B79-11D3-B654-00C04F79498E} {C5702CCD-9B79-11D3-B654-00C04F79498E} {C5702CCE-9B79-11D3-B654-00C04F79498E} {C5702CCF-9B79-11D3-B654-00C04F79498E} {C5702CD0-9B79-11D3-B654-00C04F79498E} {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7} {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} {D02AAC50-027E-11D3-9D8E-00C04F72D980} {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E} {FA7C375B-66A7-4280-879D-FD459C84BB02} Note The Class Identifiers and corresponding files where the ActiveX objects are contained are documented in the table above. Replace {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier found in this table. To set the kill bit for a CLSID with a value of {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}] "Compatibility Flags"=dword:00000400 You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites: Please advise, going to be undertaking this shortly, and don't want to screw it up. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, July 08, 2009 10:48 AM To: NT System Admin Issues Subject: Re: New IE zero day exploit in the wild Yes, unfortunately, all our users are admins. It sucks, but I use it to my advantage when I can. The reason we've not done a GP is because we haven't had the luxury of studying to understand them. Our plates always seem to be full with other things. On Tue, Jul 7, 2009 at 19:04, Ken Schaefer<[email protected]> wrote: > Are all your users admins? Otherwise, how is that logon script going to update HKLM? > > Machine-based startup script would be better idea, no? > > Cheers > Ken > > ________________________________________ > From: Kurt Buff [[email protected]] > Sent: Wednesday, 8 July 2009 2:41 AM > To: NT System Admin Issues > Subject: Re: New IE zero day exploit in the wild > > I'm just pushing out the .reg file in the login script: > > regedit /s \\fileserver\public\patches\videokillbits.reg > > The file was easy to create, in a capable editor (not notepad or > wordpad) that allows metacharacter search and replace, such as '\n' > for CRLF and '\t' for tab. I used the ancient, no-longer-supported > PFE32. I really should switch to VIM, I suppose. > > On Tue, Jul 7, 2009 at 08:40, Eric > Wittersheim<[email protected]> wrote: >> I'm pushing out the .reg via GP. So far so good. >> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum <[email protected]> wrote: >>> >>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is pushing >>> fine (so far just a few test cases have it, but no issues). Beats trying to >>> push out a .REG or something... >>> >>> >>> >>> David Lum // SYSTEMS ENGINEER >>> NORTHWEST EVALUATION ASSOCIATION >>> (Desk) 971.222.1025 // (Cell) 503.267.9764 >>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
