Category Archives: 6837

A better, more reliable, work-around for the Microsoft Video Control Vulnerability

For the past few days I've been following the Microsoft Video Control Vulnerability with interest. Basically, it's another vulnerable ActiveX control that needs killbitted. Last night, Microsoft posted a work-around which involves using a Group Policy ADM template (ADM is the template format that was deprecated in Vista and Windows Server 2008). Unfortunately, the template tattoos the registry, which is not really recommended.

I contemplated for a while writing a work-around for this issue, but then remembered that I actually did; almost three years ago. The workaround I wrote then, for another ActiveX vulnerability will not tattoo the registry, and will be much simpler to deploy with an Enterprise Management System. Just take the CLSIDs from the advisory (there are 45 of them) and run my script that many times with the -k switch. If you wish to revert the change, run the same script with the -r switch.

You need to manually undo your MS08-078 mitigations

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

<!–
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-alt:"Calisto MT";
mso-font-charset:0;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1107304683 0 0 159 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-alt:"Times New Roman";
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1073750139 0 0 159 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:10.0pt;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
–>

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}

Just as an FYI, for those of you that used Microsoft's recommended mitigations for MS08-078. If you unregistered the
MSXML Island object you need to manually re-create
the registry entries after you install the patch to restore the functionality.
The patch does not re-create the registry entries. Unfortunately, it appears
Microsoft removed the actual registry entries from the bulletin and removed the
work-around information from the advisory altogether, so unless you created a
backup copy, you will need to look at an untouched system to find out what the
registry entry was.

 

Or, you can just copy this into a text file called
“WhyDidTheyRemoveTheInformationINeed.reg” and double-click it:

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}]

@="MsxmlIsland"

 

[HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}\InProcServer32]

"ThreadingModel"="Apartment"

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,73,00,\

  78,00,6d,00,6c,00,33,00,2e,00,64,00,6c,00,6c,00,00,00

 

[HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}\TypeLib]

@="{D63E0CE2-A0A2-11D0-9C02-00C04FC99C8E}"

Mitigate the Image Uploader Vulnerabilities

The big security news this week is the six vulnerabilities found in various image uploader ActiveX controls. In case you haven't seen the news, there are exploits available publicly for remote vulnerabilities in five different ActiveX controls. US-CERT is offering the, relatively unhelpful, advice that users disable all ActiveX controls in their browser. Doing so would have the effect of disabling a lot of things, notably virtually every corporate expense reporting application. Your users will probably have a thing or two to say about that. You can mitigate that by adding all the sites users will ever need to the Trusted Sites zone, but if you haven't done that in the 10 years or so that you have had the option, you probably will not do it now.

That means you, like me, are probably looking for other options. Tom Liston, of SANS/IntelGuardians, created an application to set the kill bit on the affected controls. It is a nice little tool. However, his tool is local only, the source is not available, it is not digitally signed but instead uses an MD5 signature for source verification (standard on Linux, but not on Windows), and it uses a non-standard way of defining the control.

Another way to handle the problem, which is more scalable to an enterprise environment, is to dust off the old SlayOCX vbscript that I wrote for the VML vulnerability about 18 months ago. We can tie that into a logon script, and then link the logon script to a GPO. That will effectively disable the controls on all managed systems. First, we need a custom script with all the ActiveX controls enumerated:

<begin script>

REM Facebook
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0 -l

REM Yahoo MediaGrid
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 22FD7C0A-850C-4A53-9821-0B0915C96139 -l

REM Yahoo DataGrid
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 5F810AFC-BB5F-4416-BE63-E01DD117BD6C -l

REM Aurigma controls from http://www.kb.cert.org/vuls/id/776931
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 104B0A37-AB99-4F06-8032-8BBDC3B77DDB -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 17D667BA-5675-4AAB-9221-08B9379384D4 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 48DD0448-9209-4F81-9F6D-D83562940134 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 55027008-315F-4F45-BBC3-8BE119764741 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 6E5E167B-1566-4316-B27F-0DDAB3484CF7 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k A18962F6-E6ED-40B1-97C9-1FB36F38BFA8 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k AE6C4705-0F11-4ACB-BDD4-37F138BEF289 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k B85537E9-2D9C-400A-BC92-B04F4D9FF17D -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k BA162249-F2C5-4851-8ADC-FC58CB424243 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k D1EA8D3D-F511-4388-B754-4A0CC14A4778 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k F1F51698-7B63-4394-8743-1F4CF1853DE1 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k F89EF74A-956B-4BD3-A066-4F23DF891982 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k FB90BA05-66E6-4c56-BCD3-D65B0F7EBA39 -l

</end script>

 Next, we can follow the directions in the original post to configure a logon script:

  1. Copy the script above (everything between the begin and end tags) and paste it into a new text document. Save the document as "NoPicturesPlease.cmd". Alternatively, just download and expand the SlayOCX_v1.zip file attached to this post.
  2. Open NoPicturesPlease.cmd in Notepad, hit CTRL+H and do a global find replace on "<your domain>" with the name of your domain.
  3. Copy the NoPicturesPlease.cmd file and SlayOCX.vbs to \\<your domain>\sysvol\<your domain>\scripts. where you replace "<your domain>" with the full DNS name of your domain.
  4. Open the GPMC (if you do not have the GrouIndifferentp Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don't want to)
  5. Right-click the domain or OU where you want to link the GPO – you may as well do it at the domain level – and select "Create and Link a GPO Here…" Name your new GPO "NoPicturesPlease"
  6. Right-click the GPO NoPicturesPlease and select "Edit…"
  7. Expand "Computer Configuration:Windows Settings" and click on "Scripts (Startup/Shutdown).
  8. Double-click "Startup" in the right-hand pane
  9. Click "Add…"
  10. Browse to \\<your domain>\sysvol\<your domain>\scripts and select "NoPicturesPlease.cmd". Click "Open"
  11. Click "OK" again.
  12. Close the GPO editor and go back to the GPMC
  13. In the "Security Filtering" pane remove "Authenticated Users" and click Add…
  14. In the text box called "Enter the object name…" type "Domain Computers" or some other relevant group that you want to apply the policy to. Click OK.

When the computers next restart they will automatically apply the mitigation and kill bit all the relevant ActiveX controls. If any given ActiveX control does not exist on a particular computer nothing will be done to it. The script will also create a log file in the root of the boot volume, called "SlayOCX.log". By monitoring that log file you can tell how much the mitigation has modified the computers as well. If it finds any of the ActiveX controls you also have a good indication that people are surfing social networking sites at work, just in case you worry about such things.

If you want to ever undo the mitigation you can modify NoPicturesPlease.cmd to use the -r switch instead of the -k switch.