Security Settings for COM objects in Office

Applies to: Office 365 ProPlusMicrosoft Office 2013 Service Pack 1Microsoft Office 2010 Service Pack 2 More

Important This article contains information that shows you how to control security settings for Office. You can make changes to these security settings to either increase or lower your security posture. Before you make these changes, we recommend that you evaluate the risks associated with any changes you make to configure this setting.  

INTRODUCTION


This article describes settings available for end users and IT administrators to control if and how COM objects load with a Microsoft Office kill-bit list.  

For more information about the Windows Internet Explorer kill-bit behavior that this feature is based on, and this includes how to set AlternateCLSIDs that allow updated ActiveX controls to load, see How to stop an ActiveX control from running in Internet Explorer
 
This guidance applies to Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio.  

Office COM Kill Bit 

The Office COM kill bit was introduced in the security update MS10-036 to prevent specific COM objects from running when embedded or linked from Office documents.  

The COM Kill bit functionality has been updated in KB3178703 to completely block COM objects from being activated in-process by Office. This update is a superset of the original behavior wherein, in addition to blocking COM objects embedded or linked in Office documents, this will block any instances of COM objects being loaded within the Office process through other means like Add-Ins. 

These specific COM objects include ActiveX controls and OLE objects. Through the registry, you can independently control which COM objects are blocked when you use Office. 

Note We do not recommend that you remove the kill bit that is set for a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical, and because of this, extreme care must be used when you unkill an ActiveX control.  
 
You can add an AlternateCLSID (also known as a “Phoenix bit”) when you have to relate the CLSID of a new ActiveX control (and this ActiveX control was modified to reduce the security threat), to the CLSID of the ActiveX control to which the Office COM kill bit was applied. Office supports the AlternateCLSID only when ActiveX control COM objects are used.  
 
Note The kill-bit list for Office takes precedence over the kill-bit list for Internet Explorer. For example, the Office COM kill bit and Internet Explorer ActiveX kill bit may be set for the same ActiveX control. But the AlternateCLSID is only set on the list for Internet Explorer. In this scenario, there is a conflict between the two settings. In such instances, the Office COM kill-bit settings take precedence, and the control is not loaded. 

Setting the Office COM Kill Bit

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:  

322756 How to back up and restore the registry in Windows  

The location for setting the Office COM kill bit in the registry is as follows:  

For Office 2013 and Office 2010:

  1. For 64 bit Office on 64 bit Windows (or 32 bit Office on 32 bit Windows).

    HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Common\COM Compatibility\{CLSID}

  2. For 32 bit Office on 64 bit Windows.

    HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{CLSID}

For Office 2016:

  1. For 64 bit Office on 64 bit Windows (or 32 bit Office on 32 bit Windows).
    HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\{CLSID}
  2. For 32 bit Office on 64 bit Windows.
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{CLSID}

In this case, CLSID is the class identifier of the COM object.  

To enable the Office COM kill bit, perform the following steps 

  1. Add the registry subkey together with the CLSID of the ActiveX control or OLE object that you want to block from loading.  

  1. Add a REG_DWORD to this subkey called Compatibility Flags and set its value to 0x00000400.  

For example, to set the Office COM kill bit for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24} on Office 2016; 

  1. Locate the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility 

  1. Add a subkey with the value {77061A9C-2F18-4f38-B294-F6BCC8443D24}. In this case, the resulting path is as follows:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24} 

  2. Add a REG_DWORD to this subkey called Compatibility Flags and set its value to 0x00000400

The Office COM kill bit is now set to block this object from being activated within Office. 

How to only block COM in linking and embedding scenarios 

As mentioned earlier, the COM kill bit functionality has been updated to block all activation of specified COM objects from within Office.  

In order to only block COM objects that are embedded or linked from within Office documents, perform these steps:  

  1. Add the CLSID to the COM kill bit per the instructions under "Setting the Office Kill Bit" (if it is not on the list already) 

  1. Under the subkey for the CLSID being blocked, Add a REG_DWORD called ActivationFilterOverride and set its value to 0x00000001  

For example, to configure the COM kill bit to only block in linking and embedding scenarios for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24} on Office 2016, 

  1. locate the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility 

  2. Add a subkey with the value {77061A9C-2F18-4f38-B294-F6BCC8443D24}. In this case, the resulting path is as follows: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24} 

  3. Add a REG_DWORD to this subkey called Compatibility Flags and set its value to 0x00000400

  4. Add a REG_DWORD to this subkey called ActivationFilterOverride and set its value to 0x00000001

The Office COM kill bit is now set to block this COM object only when it is linked or embedded in Office documents. 

Controls that are blocked from Activation by default


Control

CLSID

ScriptMoniker

06290BD3-48AA-11D2-8432-006008C3FBFC

SoapActivator

ECABAFD0-7F19-11D2-978E-0000F8757E2A

SoapMoniker

ECABB0C7-7F19-11D2-978E-0000F8757E2A

PartitionMoniker

ECABB0C5-7F19-11D2-978E-0000F8757E2A

QueueMoniker

ECABAFC7-7F19-11D2-978E-0000F8757E2A

HTMLApplication

3050F4D8-98B5-11CF-BB82-00AA00BDCE0B

ScripletContext

06290BD0-48AA-11D2-8432-006008C3FBFC

ScripletConstructor

06290BD1-48AA-11D2-8432-006008C3FBFC

ScripletFactory

06290BD2-48AA-11D2-8432-006008C3FBFC

ScripletHostEncode

06290BD4-48AA-11D2-8432-006008C3FBFC

ScripletTypeLib

06290BD5-48AA-11D2-8432-006008C3FBFC

ScripletHandler_Automation

06290BD8-48AA-11D2-8432-006008C3FBFC

ScripletHandler_Event

06290BD9-48AA-11D2-8432-006008C3FBFC

ScripletHandler_ASP

06290BDA-48AA-11D2-8432-006008C3FBFC

ScripletHandler_Behavior

06290BDB-48AA-11D2-8432-006008C3FBFC

XMLFeed

528D46B3-3A4B-4B13-BF74-D9CBD7306E07

Scriptlet

AE24FDAE-03C6-11D1-8B76-0080C744F389

HtmlFile_FullWindowEmbed

25336921-03F9-11CF-8FD0-00AA00686F13

Mhtmlfile

3050F3D9-98B5-11CF-BB82-00AA00BDCE0B

Microsoft HTA Document 6.0

3050F5C8-98B5-11CF-BB82-00AA00BDCE0B

DHTMLEdit.DHTMLEdit.1

2D360200-FFF5-11D1-8D03-00A0C959BC0A

DHTMLSafe.DHTMLSafe.1

2D360201-FFF5-11D1-8D03-00A0C959BC0A

VB Script Language

B54F3741-5B07-11cf-A4B0-00AA004A55E8

VB Script Language Authoring

B54F3742-5B07-11cf-A4B0-00AA004A55E8

VBScript Language Encoding

B54F3743-5B07-11cf-A4B0-00AA004A55E8

VBScript Host Encode

85131631-480C-11D2-B1F9-00C04F86C324

Shockwave Flash Object

D27CDB6E-AE6D-11cf-96B8-444553540000

Macromedia Flash Factory Object

D27CDB70-AE6D-11cf-96B8-444553540000

Microsoft Silverlight

DFEAF541-F3E1-4c24-ACAC-99C30715084A

Adobe Shockwave Player

233C1507-6A77-46A4-9443-F871F945D258

Controls that are blocked from Embedding by default


Control

CLSID

Shell.Explorer.2

8856F961-340A-11D0-A96B-00C04FD705A2

Htmlfile

25336920-03F9-11CF-8FD0-00AA00686F13

Microsoft HTML Document for Popup Window

3050F67D-98B5-11CF-BB82-00AA00BDCE0B

 

Note: This list is a snapshot of controls that are blocked and is subject to change