Skip to main content
MSRC

More information on the December 2011 ActiveX Kill Bits bulletin (MS11-090)

Security Research & Defense
/ By swiat / / 1 min read

This month we released MS11-090 to address a vulnerability in the Microsoft Time component (CVE-2011-3397), which features the deprecated time behavior that is still supported in IE6. We would like to provide further information about this issue and help explain why a “binary behavior kill bit” is the appropriate course of action.

Which products are affected?

The vulnerable component was removed from IE7 and later browsers. IE6 is the only supported browser that is affected.

What is, or was, the time behavior?

The time behavior is a feature of HTML+TIME 1.0, which was released in IE5. It provides an active timeline for enabling animated content.

Why is CVE-2011-3397 included in the ActiveX Kill Bits bulletin (MS11-090) instead of in the cumulative IE bulletin (MS11-099)?

The most appropriate remedy for this issue is to issue a kill bit to disable the deprecated binary behavior.

What is the binary behavior kill bit?

Usually, the kill bits we issue are targeted toward disabling specific ActiveX Objects. For example, the following registry key sets a kill bit for an ActiveX object on x86-based systems:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}]
"Compatibility Flags"=dword:00000400

The binary behavior kill bit is very similar. To set a kill bit for a particular binary behavior, you can use:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}]
"Compatibility Flags"=dword:0<strong><span style="color: #ff0000;">4</span></strong>000400

The highlighted bit notifies IE to never load binary behaviors from the specific CLSID. The registry key for x64-based systems is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\CLSID of the ActiveX control

x86 IE:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\CLSID of the ActiveX control

For more information about the kill bit, please refer to David Ross’s excellentKill-Bit FAQ Series. It will be updated shortly to discuss the binary behavior kill bit.

Special thanks to Kwan-Leung Chan and Eric Lawrence on the IE team.

- Chengyun Chu, MSRC Engineering

Next Post

Related Posts

How satisfied are you with the MSRC Blog?

Rating

Feedback * (required)

Your detailed feedback helps us improve your experience. Please enter between 10 and 2,000 characters.

Thank you for your feedback!

We'll review your input and work on improving the site.