MS13-090: Cumulative security update for ActiveX Kill Bits: November 12, 2013

INTRODUCTION

Microsoft has released security bulletin MS13-090. To view the complete security bulletin, go to one of the following Microsoft websites:

How to obtain help and support for this security update

Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

More Information

Download packages

The following files are available for download from the Microsoft Download Center:

Windows Server 2012 R2

Download Download the Windows8.1-KB2900986-x64.msu package now.

Windows 8.1, 32-bit versions

Download Download the Windows8.1-KB2900986-x86.msu package now.

Windows 8.1, 64-bit versions

Download Download the Windows8.1-KB2900986-x64.msu package now.

Windows Server 2012

Download Download the Windows8.1-KB2900986-x64.msu package now.

Windows 8, 32-bit versions

Download Download the Windows8-RT-KB2900986-x86.msu package now.

Windows 8, 64-bit versions

Download Download the Windows8-RT-KB2900986-x64.msu package now.

Windows 7, 32-bit versions

Download Download the Windows6.1-KB2900986-x86.msu package now.

Windows 7, 64-bit versions

Download Download the Windows6.1-KB2900986-x64.msu package now.

Windows Server 2008 R2, x64-based versions

Download Download the Windows6.1-KB2900986-x64.msu package now.

Windows Server 2008 R2, Itanium-based systems

Download Download the Windows6.1-KB2900986-ia64.msu package now.

Windows Vista, 32-bit versions

Download Download the Windows6.0-KB2900986-x86.msu package now.

Windows Vista, x64 versions

Download Download the Windows6.0-KB2900986-x64.msu package now.

Windows Server 2008, 32-bit versions

Download Download the Windows6.0-KB2900986-x86.msu package now.

Windows Server 2008, x64-based versions

Download Download the Windows6.0-KB2900986-x64.msu package now.

Windows Server 2008, Itanium-based systems

Download Download the Windows6.0-KB2900986-ia64.msu package now.

Windows XP, x86-based versions

Download Download the WindowsXP-KB2900986-x86-ENU.exe package now.

Windows XP Professional x64 Edition

Download Download the WindowsServer2003.WindowsXP-KB2900986-x64-ENU.exe package now.

Windows Server 2003, x64-based versions

Download Download the WindowsServer2003.WindowsXP-KB2900986-x64-ENU.exe package now.

Windows Server 2003, x86-based versions

Download Download the WindowsServer2003-KB2900986-x86-ENU.exe package now.

Windows Server 2003 for Itanium-based systems

Download Download the WindowsServer2003-KB2900986-ia64-ENU.exe package now.
Release Date: November 12, 2013

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Security Update Deployment

Windows XP (all editions)

Reference Table

The following table contains the update information for this software.
Update file namesFor Windows XP Service Pack 3:
WindowsXP-KB2900986-x86-enu.exe
For Windows XP Professional x64 Edition Service Pack 2:
WindowsServer2003.WindowsXP-KB2900986-x64-enu.exe
Installation switchesSee Microsoft Knowledge Base Article 262841
Update log fileKB2900986.log
Restart requirementIn some cases, this update does not require a restart. If the necessary files are being used, this update will require a restart. If this behavior occurs, you will receive a message that advises you to restart.
Removal informationUse the Add or Remove Programs item in Control Panel or the Spuninst.exe utility that is located in the %Windir%\$NTUninstallKB2900986$\Spuninst folder.
File informationNot applicable
Registry key verificationFor all supported 32-bit editions of Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2900986\Filelist
For all supported x64-based editions of Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2900986\Filelist
Note The update for supported versions of Windows XP Professional x64 Edition also applies to supported versions of Windows Server 2003 x64 Edition.

Windows Server 2003 (all editions)

Reference Table

The following table contains the update information for this software.
Update file namesFor all supported 32-bit editions of Windows Server 2003:
WindowsServer2003-KB2900986-x86-enu.exe
For all supported x64-based editions of Windows Server 2003:
WindowsServer2003.WindowsXP-KB2900986-x64-enu.exe
For all supported Itanium-based editions of Windows Server 2003:
WindowsServer2003-KB2900986-ia64-enu.exe
Installation switchesSee Microsoft Knowledge Base Article 262841
Update log fileKB2900986.log
Restart requirementIn some cases, this update does not require a restart. If the necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
Removal informationUse the Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%\$NTUninstallKB2900986$\Spuninst folder.
File informationNot applicable
Registry key verificationHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2900986\Filelist
Note The update for supported versions of Windows Server 2003 x64 Edition also applies to supported versions of Windows XP Professional x64 Edition.

Windows Vista (all editions)

Reference Table

The following table contains the update information for this software.
Update file namesFor all supported 32-bit editions of Windows Vista:
Windows6.0-KB2900986-x86.msu
For all supported x64-based editions of Windows Vista:
Windows6.0-KB2900986-x64.msu
Installation switchesSee Microsoft Knowledge Base Article 934307
Restart requirementIn some cases, this update does not require a restart. If the necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
Removal informationWUSA.exe does not support uninstall of updates. To uninstall an update that is installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates, and select from the list of updates.
File informationNot applicable
Registry key verificationNote A registry key does not exist to validate the presence of this update.

Windows Server 2008 (all editions)

Reference Table

The following table contains the update information for this software.
Update file namesFor all supported 32-bit editions of Windows Server 2008:
Windows6.0-KB2900986-x86.msu
For all supported x64-based editions of Windows Server 2008:
Windows6.0-KB2900986-x64.msu
For all supported Itanium-based editions of Windows Server 2008:
Windows6.0-KB2900986-ia64.msu
Installation switchesSee Microsoft Knowledge Base Article 934307
Restart requirementIn some cases, this update does not require a restart. If the necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
Removal informationWUSA.exe does not support uninstall of updates. To uninstall an update that is installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates, and select from the list of updates.
File informationNot applicable
Registry key verificationNote A registry key does not exist to validate the presence of this update.

Windows 7 (all editions)

Reference Table

The following table contains the update information for this software.
Update file namesFor all supported 32-bit editions of Windows 7:
Windows6.1-KB2900986-x86.msu
For all supported x64-based editions of Windows 7:
Windows6.1-KB2900986-x64.msu
Installation switchesSee Microsoft Knowledge Base Article 934307
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
Removal informationTo uninstall an update that is installed by WUSA, use the /Uninstall setup switch, or click Control Panel, click System and Security, and then under Windows Update, click View installed updates, and select from the list of updates.
File informationNot applicable
Registry key verificationNote A registry key does not exist to validate the presence of this update.

Windows Server 2008 R2 (all editions)

Reference Table

The following table contains the update information for this software.
Update file namesFor all supported x64-based editions of Windows Server 2008 R2:
Windows6.1-KB2900986-x64.msu
For all supported Itanium-based editions of Windows Server 2008 R2:
Windows6.1-KB2900986-ia64.msu
Installation switchesSee Microsoft Knowledge Base Article 934307
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
Removal informationTo uninstall an update that is installed by WUSA, use the /Uninstall setup switch, or click Control Panel, click System and Security, and then under Windows Update, click View installed updates, and select from the list of updates.
File informationNot applicable
Registry key verificationNote A registry key does not exist to validate the presence of this update.

Windows 8 and Windows 8.1 (all editions)

Reference Table

The following table contains the update information for this software.
Security update file nameFor all supported 32-bit editions of Windows 8:
Windows8-RT-KB2900986-x86.msu
For all supported x64-based editions of Windows 8:
Windows8-RT-KB2900986-x64.msu
For all supported 32-bit editions of Windows 8.1:
Windows8.1-KB2900986-x86.msu
For all supported x64-based editions of Windows 8:
Windows8.1-KB2900986-x64.msu
Installation switchesSee Microsoft Knowledge Base Article 934307
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
Removal informationTo uninstall an update that is installed by WUSA, use the /Uninstall setup switch, or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates, and select from the list of updates.
File informationNot applicable
Registry key verificationNote A registry key does not exist to validate the presence of this update.

Windows Server 2012 and Windows Server 2012 R2 (all editions)

Reference Table

The following table contains the update information for this software.
Update file namesFor all supported editions of Windows Server 2012:
Windows8-RT-KB2900986-x64.msu
For all supported editions of Windows Server 2012 R2:
Windows8.1-KB2900986-x64.msu
Installation switchesSee Microsoft Knowledge Base Article 934307
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
Removal informationTo uninstall an update that is installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates, and select from the list of updates.
File informationNot applicable
Registry key verificationNote A registry key does not exist to validate the presence of this update.

Windows RT and Windows RT 8.1 (all editions)

Reference Table

The following table contains the update information for this software.
DeploymentThis update is available through Windows Update.
Restart RequirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if necessary files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
Removal InformationClick Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates, and select from the list of updates.
File informationNot applicable

Detection and Deployment Tools and Guidance

Several resources are available to help administrators deploy security updates.
  • Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations.
  • Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager help administrators distribute security updates.
  • The Update Compatibility Evaluator components that are included with the Application Compatibility Toolkit help in streamlining the testing and validation of Windows updates against installed applications.
For information about these and other tools that are available, see Security Tools for IT Pros.

Manual configuration information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

How to allow the vulnerable ActiveX control to run in Internet Explorer

After you install this security update, kill bits are set that prevent the vulnerable InformationCardSigninHelper Class ActiveX control from instantiating in Internet Explorer. You can undo the kill bits to allow the vulnerable ActiveX control to run in Internet Explorer.

Warning Reverting the kill bits will allow the vulnerable ActiveX control to run in Internet Explorer and will remove the protections that are provided by this update.

To undo the kill bits, follow these steps:
  1. Paste the following text in a text editor such as Notepad. Then, save the file as a .reg file (such as undoKB2900986.reg).

    Windows Registry Editor Version 5.00
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{19916e01-b44e-4e31-94a4-4696df46157b}]


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{19916e01-b44e-4e31-94a4-4696df46157b}]


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}]


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}]


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}]


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}]
  2. Double-click this .reg file to apply it to individual systems. You can also apply it across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.


    Note You must restart Internet Explorer for the changes to take effect.

How to prevent the vulnerable ActiveX control from instantiating in Internet Explorer

If you want to reinstate the kill bits that prevent the vulnerable ActiveX control from instantiating in Internet Explorer, follow these steps:
  1. To set the kill bits for CLSIDs with the values of {19916e01-b44e-4e31-94a4-4696df46157b}, {c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}, and {53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}, paste the following text in a text editor such as Notepad. Then, save the file as a .reg file (such as applyKB2900986.reg).

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{19916e01-b44e-4e31-94a4-4696df46157b}]

    "Compatibility Flags"=dword:04000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{19916e01-b44e-4e31-94a4-4696df46157b}]

    "Compatibility Flags"=dword:04000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}]

    "Compatibility Flags"=dword:04000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f}]

    "Compatibility Flags"=dword:04000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}]

    "Compatibility Flags"=dword:00000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53001f3a-f5e1-4b90-9c9f-00e09b53c5f1}]

    "Compatibility Flags"=dword:04000400
  2. Double-click this .reg file to apply it to individual systems. You can also apply it across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.


    Note You must restart Internet Explorer for the changes to take effect.

Hash Information

File information
Properties

Article ID: 2900986 - Last Review: Nov 12, 2013 - Revision: 1

Feedback