Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
This article contains pre-release documentation and is subject to change in future releases. How to stop an ActiveX control from running in Internet Explorer. The following advisory article discusses vulnerabilities in the Active Template Library (ATL) that could allow remote code execution.
This security update lets users control if and how ActiveX controls and OLE objects load with a Microsoft Office kill-bit list. For more information about the Windows Internet Explorer kill-bit behavior that this feature is based on, and this includes how to set AlternateCLSIDs that allow updated ActiveX controls to load, see973882 Microsoft Security Advisory: Vulnerabilities in Microsoft Active Template Library (ATL) could allow remote code execution All the features in the advisory article can be used to help reduce these ATL vulnerabilities. Additionally, specific ATL mitigations are discussed in this security update. This security update applies to Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio.
Office COM Kill Bit
You can also use the Office COM kill bit that was introduced in the security update in MS10-036 to prevent specific COM objects from running within Office applications. These specific COM objects include ActiveX controls and OLE objects. Now, through the registry, you can independently control which ActiveX and OLE objects are blocked from running when you use Office.
Important notes-
If the Office COM Kill Bit is set in the registry for an OLE object, the object is not loaded, and the object cannot be loaded in any circumstance.
-
In Office 2007, users receive the following error message:
-
In Office 2003, users receive the following error message:
Attempt to create a class object failed. Access Denied.
Process Monitor from TechNet. Look for the Internet Explorer kill-bit setting in the Process Monitor log file.
To determine which CLSID is failing to load, use theHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\<CLSID>
Note We do not recommend that you remove the kill bit that is set for a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical, and because of this, extreme care must be used when you unkill an ActiveX control. You can add an AlternateCLSID (also known as a “Phoenix bit”) when you have to relate the CLSID of a new ActiveX control (and this ActiveX control was modified to reduce the security threat), to the CLSID of the ActiveX control to which the Office COM kill bit was applied. Office supports the AlternateCLSID only when ActiveX control COM objects are used. Note The kill-bit list for Office takes precedence over the kill-bit list for Internet Explorer. For example, the Office COM kill bit and Internet Explorer ActiveX kill bit may be set for the same ActiveX control. But the AlternateCLSID is only set on the list for Internet Explorer. In this scenario, there is a conflict between the two settings. In such instances, the Office COM kill-bit settings take precedence, and the control is not loaded.Setting the Office COM Kill Bit
ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756How to back up and restore the registry in Windows The location for setting the Office COM kill bit in the registry is as follows:
HKEY_LOCAL_MACHINE/Software/Microsoft/Office/Common/COM Compatibility/{CLSID}In this case, CLSID is the class identifier of the COM object. To enable the Office COM kill bit, you have to add the registry subkey together with the CLSID of the ActiveX control or OLE object that you want to block from loading. Also, you have to set the Compatibility Flag's REG_DWORD value to 0x00000400.
For example, to set the Office COM kill bit for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24}, locate the following subkey, and add REG_SZ {77061A9C-2F18-4f38-B294-F6BCC8443D24} to the subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM CompatibilityIn this case, the path is as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24}
When you add a subkey that contains the value of 0x00000400 to the {CLSID} key, the Office COM kill bit is set. The 64-bit and 32-bit objects and their kill bits are located in different registry locations. For more information, visit the following Microsoft webpage to see the Kill-Bit FAQ:How to override the Internet Explorer kill-bit list for OLE objects
The Override IE kill-bit list option lets you specifically list which OLE objects on the Internet Explorer kill-bit list are permitted to be loaded within Office. Use the Override IE kill-bit list only if you know that the OLE object is safe to load in Office. Be aware that when Office checks the Override IE kill-bit list setting, Office also checks whether the Office COM kill bit is enabled. If the Office COM kill bit is enabled, the OLE object is not loaded.
To enable the Override IE kill-bit list option, you must correctly categorize the OLE object. In the registry, if the subkey does not already exist, add a subkey that is called Implemented Categories to the CLSID of the COM object. Then, add a subkey that contains the Category ID (CATID) for OLE objects, {F3E0281E-C257-444E-87E7-F3DC29B62BBD}, to the Implemented Categories key. For example, Internet Explorer may be set up to kill an OLE object, but you still want to use this object in Office. In this case, you must first look up the CLSID for that OLE object in the following location in the registry:HKEY_CLASSES_ROOT\CLSID
For example, the CLSID for the Microsoft Graph Chart is {00020803-0000-0000-C000-000000000046}. Then, you must determine whether the key, Implemented Categories, already exists, or you must create the key if it does not exist. In this example, the path is as follows:HKEY_CLASSES_ROOT\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented Categories
Finally, add a new subkey for the CATID OLE object to the Implemented Categories key. The following is the path for this example:HKEY_CLASSES_ROOT\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented Categories\{F3E0281E-C257-444E-87E7-F3DC29B62BBD}
Note The Category ID (CATID) for OLE objects is {F3E0281E-C257-444E-87E7-F3DC29B62BBD}, and the braces ( { } ) must be included.How to disable ATL mitigations
When the ATL mitigations are enabled, controls that use OleLoadFromStreamsuch are prevented from functioning and control information is lost. For example, VB6/Windows common controls are affected by this issue.
Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. We do not recommend that you disable the ATL mitigations unless it is absolutely necessary because these ATL mitigations cover a broad scope. If you disable the ATL mitigations, you might create security vulnerabilities. If you do disable the ATL mitigations, we recommend that you do not open Microsoft Office files that you receive from untrusted sources or that you unexpectedly receive from trusted sources. To disable the mitigations that reference the ATL vulnerabilities, set the NoOLELoadFromStreamChecks REG_DWORD to a value of 00000001 in the following registry subkey:HKEY_CURRENT_USER/Software/Microsoft/Office/Common/Security
Note If this registry subkey does not exist, you must create this registry subkey as a REG_DWORD type.Disable scriplet controls for Office applications
After this security update is installed, you can disable scriptlets for Office applications and the Internet Explorer behavior is not changed.
To disable scriptlets for Office applications, set the Compatibility Flag's REG_DWORD value to 00000400 in the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{AE24FDAE-03C6-11D1-8B76-0080C744F389}
The following is a list of other controls that you may want to consider putting onto the Office deny list:
Control |
CLISD |
---|---|
Microsoft HTA Document 6.0 |
{3050F5C8-98B5-11CF-BB82-00AA00BDCE0B} |
htmlfile |
{25336920-03F9-11CF-8FD0-00AA00686F13} |
htmlfile_FullWindowEmbed |
{25336921-03F9-11CF-8FD0-00AA00686F13} |
mhtmlfile |
{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B} |
Web Browswer Control |
{8856F961-340A-11D0-A96B-00C04FD705A2} |
DHTMLEdit |
{2D360200-FFF5-11D1-8D03-00A0C959BC0A} |