Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2009-007

DATE(S) ISSUED:
2/11/2009

SUBJECT:
Security Update of ActiveX Kill Bits

OVERVIEW:

Microsoft has released a security update which addresses vulnerabilities discovered in multiple ActiveX controls. ActiveX controls are small programs or animations that are downloaded or embedded in Web pages which will typically enhance functionality and user experience. Many web design and development tools have built ActiveX support into their products, allowing developers to both create and make use of ActiveX controls in their programs. There are more than 1,000 existing ActiveX controls available for use today.

When vulnerabilities are discovered in ActiveX controls, attackers may use specially crafted web pages to exploit these vulnerabilities. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with this user account, an attacker could then install programs; view, change, or delete data; or create new accounts.

SYSTEMS AFFECTED:

• Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2 and Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista and Windows Vista Service Pack 1
• Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Server 2008 for 32-bit Systems
• Windows Server 2008 for x64-based Systems
• Windows Server 2008 for Itanium-based Systems

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
The security update released by Microsoft addresses three ActiveX component vulnerabilities. The first of these components are Microsoft ActiveX controls for Microsoft Visual Basic 6. The second and third components are associated with the third-party applications Akamai Download Manager, and Research in Motion (RIM) AxLoader.

Microsoft Internet Explorer includes a security feature which will prevent an ActiveX control from being loaded by using registry settings. This is commonly referred to as setting the 'kill bit' of an ActiveX component. Once the kill bit is set, the associated component can never be loaded.

The vulnerabilities within the ActiveX controls for Microsoft Visual Basic 6 Runtime Extended Files could allow an attacker to take complete control of an affected system. These vulnerabilities may be exploited if a user visits a specifically crafted web page or opens a specially crafted HTML formatted email.

The vulnerability within Akamai Download Manager allows an attacker to launch arbitrary code within the context of the victim user.

The vulnerability within RIM AxLoader allows an unauthenticated, remote attacker to execute arbitrary code with the privileges of the victim user.

Successful exploitation of any of these vulnerabilities will result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with this user account, an attacker could then install programs; view, change, or delete data; or create new accounts.

This update (see recommendations below) will set the kill bits for the following Class Identifiers (CLSIDs):

Microsoft Animation Control, version 5.0 (SP2)
CLSID - 1E216240-1B7D-11CF-9D53-00AA003C9CB6

DataGrid ActiveX Control for Visual Basic 6
CLSID - CDE57A43-8B86-11D0-B3C6-00A0C90AEA82

FlexGrid ActiveX Control for Visual Basic 6
CLSID - 6262D3A0-531B-11CF-91F6-C2863C385E30

Hierarchical FlexGrid ActiveX Control for Visual Basic 6
CLSID - 0ECD9B64-23AA-11d0-B351-00A0C9055D8E

Windows Common ActiveX Control for Visual Basic 6
CLSID - B09DE715-87C1-11d1-8BE3-0000F8754DA1

Charts ActiveX Control for Visual Basic 6
CLSID - 3A2B370C-BA0A-11d1-B137-0000F8753F5D

Masked Edit ActiveX Control for Visual Basic 6
CLSID - C932BA85-4374-101B-A56C-00AA003668DC

Microsoft Winsock Control, version 6.0
CLSID - 248dd896-bb45-11cf-9abc-0080c7e7b78d

Akamai Download Manager
CLSID - FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1

Research in Motion (RIM) Blackberry Application Web Loader
CLSID - 4788DE08-3552-49EA-AC8C-233DA52523B9

The update does not contain any executable code. The update will only make the specified changes to the system registry to disable the associated controls.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate security update provided by Microsoft to vulnerable systems immediately after appropriate testing: http://support.microsoft.com/kb/960715 .
  
• If you believe you have been affected by targeted attacks exploiting this vulnerability, please follow your organization's policies for incident reporting.
• Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/advisory/960715.mspx
http://support.microsoft.com/kb/960715

RIM:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB16248

Akamai:
http://www.akamai.com/html/support/security.html

Security Focus:
http://www.securityfocus.com/bid/33663
http://www.securityfocus.com/bid/28993

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1770
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4252
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4254
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4255
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4256
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3704

Copyright © 2010 - Privacy Policy - Contact Us