MS13-090: Cumulative security update for ActiveX Kill Bits: November 12, 2013
INTRODUCTION
Microsoft has released security bulletin MS13-090. To view the complete security bulletin, go to one of the following Microsoft websites:
Support for Microsoft Update
Security solutions for IT professionals:
TechNet Security Troubleshooting and Support
Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center
Local support according to your country:
International Support
- Home users:
Skip the details: Download the updates for your home computer or laptop from the Microsoft Update Website now: - IT professionals:
How to obtain help and support for this security update
Help installing updates:Support for Microsoft Update
Security solutions for IT professionals:
TechNet Security Troubleshooting and Support
Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center
Local support according to your country:
International Support
More Information
Download packages
The following files are available for download from the Microsoft Download Center:Windows Server 2012 R2
Download the Windows8.1-KB2900986-x64.msu package now.Windows 8.1, 32-bit versions
Download the Windows8.1-KB2900986-x86.msu package now.Windows 8.1, 64-bit versions
Download the Windows8.1-KB2900986-x64.msu package now.Windows Server 2012
Download the Windows8.1-KB2900986-x64.msu package now.Windows 8, 32-bit versions
Download the Windows8-RT-KB2900986-x86.msu package now.Windows 8, 64-bit versions
Download the Windows8-RT-KB2900986-x64.msu package now.Windows 7, 32-bit versions
Download the Windows6.1-KB2900986-x86.msu package now.Windows 7, 64-bit versions
Download the Windows6.1-KB2900986-x64.msu package now.Windows Server 2008 R2, x64-based versions
Download the Windows6.1-KB2900986-x64.msu package now.Windows Server 2008 R2, Itanium-based systems
Download the Windows6.1-KB2900986-ia64.msu package now.Windows Vista, 32-bit versions
Download the Windows6.0-KB2900986-x86.msu package now.Windows Vista, x64 versions
Download the Windows6.0-KB2900986-x64.msu package now.Windows Server 2008, 32-bit versions
Download the Windows6.0-KB2900986-x86.msu package now.Windows Server 2008, x64-based versions
Download the Windows6.0-KB2900986-x64.msu package now.Windows Server 2008, Itanium-based systems
Download the Windows6.0-KB2900986-ia64.msu package now.Windows XP, x86-based versions
Download the WindowsXP-KB2900986-x86-ENU.exe package now.Windows XP Professional x64 Edition
Download the WindowsServer2003.WindowsXP-KB2900986-x64-ENU.exe package now.Windows Server 2003, x64-based versions
Download the WindowsServer2003.WindowsXP-KB2900986-x64-ENU.exe package now.Windows Server 2003, x86-based versions
Download the WindowsServer2003-KB2900986-x86-ENU.exe package now.Windows Server 2003 for Itanium-based systems
Download the WindowsServer2003-KB2900986-ia64-ENU.exe package now.Release Date: November 12, 2013
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.Security Update Deployment
Windows XP (all editions)
Reference Table
The following table contains the update information for this software.| Update file names | For Windows XP Service Pack 3: WindowsXP-KB2900986-x86-enu.exe |
| For Windows XP Professional x64 Edition Service Pack 2: WindowsServer2003.WindowsXP-KB2900986-x64-enu.exe | |
| Installation switches | See Microsoft Knowledge Base Article 262841 |
| Update log file | KB2900986.log |
| Restart requirement | In some cases, this update does not require a restart. If the necessary files are being used, this update will require a restart. If this behavior occurs, you will receive a message that advises you to restart. |
| Removal information | Use the Add or Remove Programs item in Control Panel or the Spuninst.exe utility that is located in the %Windir%\$NTUninstallKB2900986$\Spuninst folder. |
| File information | Not applicable |
| Registry key verification | For all supported 32-bit editions of Windows XP: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2900986\Filelist |
| For all supported x64-based editions of Windows XP: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2900986\Filelist |
Windows Server 2003 (all editions)
Reference Table
The following table contains the update information for this software.| Update file names | For all supported 32-bit editions of Windows Server 2003: WindowsServer2003-KB2900986-x86-enu.exe |
| For all supported x64-based editions of Windows Server 2003: WindowsServer2003.WindowsXP-KB2900986-x64-enu.exe | |
| For all supported Itanium-based editions of Windows Server 2003: WindowsServer2003-KB2900986-ia64-enu.exe | |
| Installation switches | See Microsoft Knowledge Base Article 262841 |
| Update log file | KB2900986.log |
| Restart requirement | In some cases, this update does not require a restart. If the necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. |
| Removal information | Use the Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%\$NTUninstallKB2900986$\Spuninst folder. |
| File information | Not applicable |
| Registry key verification | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2900986\Filelist |
Windows Vista (all editions)
Reference Table
The following table contains the update information for this software.| Update file names | For all supported 32-bit editions of Windows Vista: Windows6.0-KB2900986-x86.msu |
| For all supported x64-based editions of Windows Vista: Windows6.0-KB2900986-x64.msu | |
| Installation switches | See Microsoft Knowledge Base Article 934307 |
| Restart requirement | In some cases, this update does not require a restart. If the necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. |
| Removal information | WUSA.exe does not support uninstall of updates. To uninstall an update that is installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates, and select from the list of updates. |
| File information | Not applicable |
| Registry key verification | Note A registry key does not exist to validate the presence of this update. |
Windows Server 2008 (all editions)
Reference Table
The following table contains the update information for this software.| Update file names | For all supported 32-bit editions of Windows Server 2008: Windows6.0-KB2900986-x86.msu |
| For all supported x64-based editions of Windows Server 2008: Windows6.0-KB2900986-x64.msu | |
| For all supported Itanium-based editions of Windows Server 2008: Windows6.0-KB2900986-ia64.msu | |
| Installation switches | See Microsoft Knowledge Base Article 934307 |
| Restart requirement | In some cases, this update does not require a restart. If the necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. |
| Removal information | WUSA.exe does not support uninstall of updates. To uninstall an update that is installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates, and select from the list of updates. |
| File information | Not applicable |
| Registry key verification | Note A registry key does not exist to validate the presence of this update. |
Windows 7 (all editions)
Reference Table
The following table contains the update information for this software.| Update file names | For all supported 32-bit editions of Windows 7: Windows6.1-KB2900986-x86.msu |
| For all supported x64-based editions of Windows 7: Windows6.1-KB2900986-x64.msu | |
| Installation switches | See Microsoft Knowledge Base Article 934307 |
| Restart requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. |
| Removal information | To uninstall an update that is installed by WUSA, use the /Uninstall setup switch, or click Control Panel, click System and Security, and then under Windows Update, click View installed updates, and select from the list of updates. |
| File information | Not applicable |
| Registry key verification | Note A registry key does not exist to validate the presence of this update. |
Windows Server 2008 R2 (all editions)
Reference Table
The following table contains the update information for this software.| Update file names | For all supported x64-based editions of Windows Server 2008 R2: Windows6.1-KB2900986-x64.msu |
| For all supported Itanium-based editions of Windows Server 2008 R2: Windows6.1-KB2900986-ia64.msu | |
| Installation switches | See Microsoft Knowledge Base Article 934307 |
| Restart requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. |
| Removal information | To uninstall an update that is installed by WUSA, use the /Uninstall setup switch, or click Control Panel, click System and Security, and then under Windows Update, click View installed updates, and select from the list of updates. |
| File information | Not applicable |
| Registry key verification | Note A registry key does not exist to validate the presence of this update. |
Windows 8 and Windows 8.1 (all editions)
Reference Table
The following table contains the update information for this software.| Security update file name | For all supported 32-bit editions of Windows 8: Windows8-RT-KB2900986-x86.msu |
| For all supported x64-based editions of Windows 8: Windows8-RT-KB2900986-x64.msu | |
| For all supported 32-bit editions of Windows 8.1: Windows8.1-KB2900986-x86.msu | |
| For all supported x64-based editions of Windows 8: Windows8.1-KB2900986-x64.msu | |
| Installation switches | See Microsoft Knowledge Base Article 934307 |
| Restart requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. |
| Removal information | To uninstall an update that is installed by WUSA, use the /Uninstall setup switch, or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates, and select from the list of updates. |
| File information | Not applicable |
| Registry key verification | Note A registry key does not exist to validate the presence of this update. |
Windows Server 2012 and Windows Server 2012 R2 (all editions)
Reference Table
The following table contains the update information for this software.| Update file names | For all supported editions of Windows Server 2012: Windows8-RT-KB2900986-x64.msu |
| For all supported editions of Windows Server 2012 R2: Windows8.1-KB2900986-x64.msu | |
| Installation switches | See Microsoft Knowledge Base Article 934307 |
| Restart requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. |
| Removal information | To uninstall an update that is installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates, and select from the list of updates. |
| File information | Not applicable |
| Registry key verification | Note A registry key does not exist to validate the presence of this update. |
Windows RT and Windows RT 8.1 (all editions)
Reference Table
The following table contains the update information for this software.| Deployment | This update is available through Windows Update. |
| Restart Requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. |
| Removal Information | Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates, and select from the list of updates. |
| File information | Not applicable |
Detection and Deployment Tools and Guidance
Several resources are available to help administrators deploy security updates.- Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations.
- Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager help administrators distribute security updates.
- The Update Compatibility Evaluator components that are included with the Application Compatibility Toolkit help in streamlining the testing and validation of Windows updates against installed applications.
Manual configuration information
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Warning Reverting the kill bits will allow the vulnerable ActiveX control to run in Internet Explorer and will remove the protections that are provided by this update.
To undo the kill bits, follow these steps:
322756 How to back up and restore the registry in Windows
How to allow the vulnerable ActiveX control to run in Internet Explorer
After you install this security update, kill bits are set that prevent the vulnerable InformationCardSigninHelper Class ActiveX control from instantiating in Internet Explorer. You can undo the kill bits to allow the vulnerable ActiveX control to run in Internet Explorer.Warning Reverting the kill bits will allow the vulnerable ActiveX control to run in Internet Explorer and will remove the protections that are provided by this update.
To undo the kill bits, follow these steps:
- Paste the following text in a text editor such as Notepad. Then, save the file as a .reg file (such as undoKB2900986.reg).
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{19916e01-b44e-4e31-94a4-4696df46157b}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{19916e01-b44e-4e31-94a4-4696df46157b}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}] - Double-click this .reg file to apply it to individual systems. You can also apply it across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.
Note You must restart Internet Explorer for the changes to take effect.
How to prevent the vulnerable ActiveX control from instantiating in Internet Explorer
If you want to reinstate the kill bits that prevent the vulnerable ActiveX control from instantiating in Internet Explorer, follow these steps:- To set the kill bits for CLSIDs with the values of {19916e01-b44e-4e31-94a4-4696df46157b}, {c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}, and {53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}, paste the following text in a text editor such as Notepad. Then, save the file as a .reg file (such as applyKB2900986.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{19916e01-b44e-4e31-94a4-4696df46157b}]
"Compatibility Flags"=dword:04000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{19916e01-b44e-4e31-94a4-4696df46157b}]
"Compatibility Flags"=dword:04000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}]
"Compatibility Flags"=dword:04000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}]
"Compatibility Flags"=dword:04000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}]
"Compatibility Flags"=dword:04000400 - Double-click this .reg file to apply it to individual systems. You can also apply it across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.
Note You must restart Internet Explorer for the changes to take effect.
Properties
Article ID: 2900986 - Last Review: Nov 12, 2013 - Revision: 1
Internet Explorer 11, Internet Explorer 10, Windows Internet Explorer 9, Windows Internet Explorer 8, Windows Internet Explorer 7, Microsoft Internet Explorer 6.0
