Kill bits & ActiveX Removal

For recent Internet Explorer exploits which had to do with ActiveX, you always see recommendations that people should "set the killbits." But what exactly does this mean? Setting a "kill bit" disables a specific ActiveX control as defined as it's Class identifier (CLSID). This is accomplished by editing the registry to set the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CLSID} key to have a name=value pair of "Compatibility Flags"=dword:00000400 . This specific technique is frequently mentioned in Microsoft workarounds too, for instance MS06-057. Sometimes you will have to create a new key at that location, you also need to note when a key already exists (as in one of the MS06-057 CLSIDs) and make sure you set the value back when you are safely patched. That is why ISC has at times offered small executables so that you don't have to think about it.

Another technique you may see involves the use of the regsvr32 command. Just use the /u flag to unload the offending ActiveX control file (.ocx) if it has been identified. The command is thus in the form regsvr32 drive: \windows\occache\filename.ocx /u (from MS kbase article below). This is reversed by using the same command without the /u.

More information about using killbits is available at the original Microsoft Knowledgebase Article. (Of course also keep in mind this out of context quote: "Microsoft does not recommend unkilling (undoing the kill action on) an ActiveX control. If you do so, you may create security vulnerabilities." ;) )

Microsoft's other information about removing ActiveX controls is here.

As a 3rd option, this link says that for WindowsXP and above you can set policies which will help prevent running malicious software, however it's more than I can process at this point.