+1, why MS didn't supply a ready-to-use .REG file (it's for HKLM after all) is beyond me.
So via GPO fail isn't just me! My .MSI push attempt via GPO to XP didn't work (none of my clients have SMS). An SMS push (day job has SMS) the same .MSI worked fine. Dave -----Original Message----- From: Carl Houseman [mailto:[email protected]] Sent: Wednesday, July 08, 2009 8:14 AM To: NT System Admin Issues Subject: RE: New IE zero day exploit in the wild It appears that's what we're left to do on our own. Not sure why MS couldn't just provide us the .reg file ready-to-use. Or for that matter, a .msi file that works with GP. I tried assigning the msfixit .msi in a group policy, but it didn't install (on Vista anyway, didn't test w/XP after that, it worked under Vista when run interactively). My other idea, a custom .adm file to push the settings out, fell flat because a single policy can't affect multiple reg keys with a single enable/disable choice. If I'm wrong about that I'd love to hear how it's done. Carl -----Original Message----- From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, July 08, 2009 10:57 AM To: NT System Admin Issues Subject: RE: New IE zero day exploit in the wild Question, According to the Microsoft article it looks like you need to add a whole a lot of CSLID's that need the kill bit set, is this what everyone else is doing? So basically adding each one of these CSLID's to a .reg file and then scheduling a bat file to be run at the computer startup like the following? (Call it MSVideofit.bat) :BATFILE Regedit -s MSactiveXVideoFix.reg :MsActiveXVideoFix.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}] "Compatibility Flags"=dword:00000400 ETC ETC (Down the list of CLSIDS below) Then set a Group policy with the computer startup script at the root of your domain, and let it rip. (So servers, workstations etc etc get the fix, you can try it at a small OU level and reg query the registry after the system is booted, to verify that it working The following Class Identifiers relate to Microsoft Video ActiveX Control: Class Identifier {011B3619-FE63-4814-8A84-15A194CE9CE3} {0149EEDF-D08F-4142-8D73-D23903D21E90} {0369B4E5-45B6-11D3-B650-00C04F79498E} {0369B4E6-45B6-11D3-B650-00C04F79498E} {055CB2D7-2969-45CD-914B-76890722F112} {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} {15D6504A-5494-499C-886C-973C9E53B9F1} {1BE49F30-0E1B-11D3-9D8E-00C04F72D980} {1C15D484-911D-11D2-B632-00C04F79498E} {1DF7D126-4050-47F0-A7CF-4C4CA9241333} {2C63E4EB-4CEA-41B8-919C-E947EA19A77C} {334125C0-77E5-11D3-B653-00C04F79498E} {37B0353C-A4C8-11D2-B634-00C04F79498E} {37B03543-A4C8-11D2-B634-00C04F79498E} {37B03544-A4C8-11D2-B634-00C04F79498E} {418008F3-CF67-4668-9628-10DC52BE1D08} {4A5869CF-929D-4040-AE03-FCAFC5B9CD42} {577FAA18-4518-445E-8F70-1473F8CF4BA4} {59DC47A8-116C-11D3-9D8E-00C04F72D980} {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} {823535A0-0318-11D3-9D8E-00C04F72D980} {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} {8A674B4C-1F63-11D3-B64C-00C04F79498E} {8A674B4D-1F63-11D3-B64C-00C04F79498E} {9CD64701-BDF3-4D14-8E03-F12983D86664} {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} {A2E3074E-6C3D-11D3-B653-00C04F79498E} {A2E30750-6C3D-11D3-B653-00C04F79498E} {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE} {AD8E510D-217F-409B-8076-29C5E73B98E8} {B0EDF163-910A-11D2-B632-00C04F79498E} {B64016F3-C9A2-4066-96F0-BD9563314726} {BB530C63-D9DF-4B49-9439-63453962E598} {C531D9FD-9685-4028-8B68-6E1232079F1E} {C5702CCC-9B79-11D3-B654-00C04F79498E} {C5702CCD-9B79-11D3-B654-00C04F79498E} {C5702CCE-9B79-11D3-B654-00C04F79498E} {C5702CCF-9B79-11D3-B654-00C04F79498E} {C5702CD0-9B79-11D3-B654-00C04F79498E} {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7} {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} {D02AAC50-027E-11D3-9D8E-00C04F72D980} {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E} {FA7C375B-66A7-4280-879D-FD459C84BB02} Note The Class Identifiers and corresponding files where the ActiveX objects are contained are documented in the table above. Replace {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier found in this table. To set the kill bit for a CLSID with a value of {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}] "Compatibility Flags"=dword:00000400 You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites: Please advise, going to be undertaking this shortly, and don't want to screw it up. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, July 08, 2009 10:48 AM To: NT System Admin Issues Subject: Re: New IE zero day exploit in the wild Yes, unfortunately, all our users are admins. It sucks, but I use it to my advantage when I can. The reason we've not done a GP is because we haven't had the luxury of studying to understand them. Our plates always seem to be full with other things. On Tue, Jul 7, 2009 at 19:04, Ken Schaefer<[email protected]> wrote: > Are all your users admins? Otherwise, how is that logon script going to update HKLM? > > Machine-based startup script would be better idea, no? > > Cheers > Ken > > ________________________________________ > From: Kurt Buff [[email protected]] > Sent: Wednesday, 8 July 2009 2:41 AM > To: NT System Admin Issues > Subject: Re: New IE zero day exploit in the wild > > I'm just pushing out the .reg file in the login script: > > regedit /s \\fileserver\public\patches\videokillbits.reg > > The file was easy to create, in a capable editor (not notepad or > wordpad) that allows metacharacter search and replace, such as '\n' > for CRLF and '\t' for tab. I used the ancient, no-longer-supported > PFE32. I really should switch to VIM, I suppose. > > On Tue, Jul 7, 2009 at 08:40, Eric > Wittersheim<[email protected]> wrote: >> I'm pushing out the .reg via GP. So far so good. >> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum <[email protected]> wrote: >>> >>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is pushing >>> fine (so far just a few test cases have it, but no issues). Beats trying to >>> push out a .REG or something... >>> >>> >>> >>> David Lum // SYSTEMS ENGINEER >>> NORTHWEST EVALUATION ASSOCIATION >>> (Desk) 971.222.1025 // (Cell) 503.267.9764 >>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
