Microsoft yesterday announced a dangerous exploit for users with Windows XP or Windows Server 2003 operating systems and use Internet Explorer. You can read more about the exploit with this article from The Register. If you are using Windows Vista or Windows Server 2008, you are not susceptible to this bug.
This is an odd announcement for Microsoft to make; usually, they will only announce that such bugs exist when they are releasing a fix to the problem. This prevents more malicious people from knowing about the exploits before there is a patch available. It seems in this instance and the reason for the rush announcement is that enough malicious people are actively exploiting the problem that Microsoft needed to announce the problem to make the general public aware of it as well. In this article, you can learn a number of different steps you can take to prevent the exploit from impacting you.
A quick and easy fix is to use a different web browser:
If you are like the many that are required to use Internet Explorer for specific applications, there still remains a fix that you can implement to safe-guard yourself. First of all, knowledge is power. You can learn about the specifics of the exploit by reading the Microsoft Security Advisory (972890) on the issue.
If you’d like to have Microsoft automatically fix the problem for you, you can visit the related Knowledge Base article on the exploit and click the Enable Workaround. It downloads an MSI and requires administrator rights to run. Despite being an MSI, it seems the workaround cannot be deployed via a group policy. If you wish to undo the changes that the workaround made, you can download and run the file under the Disable Workaround section.
If you’d like to make the fix manually, you can follow the instructions in the Security Advisory under the Suggested Actions and Workarounds sub-section. This step involves writing a number of registry keys (45) with a .REG script.
You can deploy the .REG file as part of a script using this command in the Startup script:
regedit.exe /s ServerNameActiveXFixactivexfix.reg
You can also unregister the buggy dll that is responsible.
regsvr32 -u msvidctl.dll
You can deploy this fix as the registry key using a startup script above or you can make it a little more elegant by using a custom ADM template to write the registry keys. This also has the advantage that users will not have to restart or log off. It will apply at the next Group Policy refresh.
ADM files, however, aren’t much fun to make. Fortunately, a few have already been made and I liked this one that you can download from Bink.nu. If you don’t trust it, open it in a text editor and see all that it does.
Next, create a new GPO and add the custom template by right-clicking on Administrative Templates and choosing Add/Remove Templates… Add the custom template from wherever you downloaded it. In order to enable the setting, you’ll need to select Administrative Templates again and then go to View, Filtering… Uncheck the box that says ‘Only show policy settings that can be fully managed’ and hit Ok.
Under Administrative Templates, you should see a KB972890 Workaround folder. If you select that, you’ll be able to configure the new policy that allows you to Block Microsoft Video ActiveX Control in IE.
When the Microsoft patch is finally released, just change the state of this policy to Disabled.
It seems likely that Microsoft will deliver a critical update shortly and out of cycle (not on the second Tuesday of the month), but in the meantime you can protect your computer and your users by following the above steps.