Blocking ActiveX Controls from Loading in Microsoft Office

We were recently made aware of the exploit in the wild for Adobe Flash Player. The exploit itself is in the Flash player, but it was brought to our attention that Excel has been used to help deliver .swf file. Our Security Research & Defense team released a blog on mitigations along with how Enhanced Mitigation Experience Toolkit (EMET) can be used to help with this issue.

We wanted to provide you with a little bit more information on how one can prevent ActiveX controls from being run within Microsoft Office applications.

In Office 2010 you can use Security Settings for ActiveX controls for Office 2010 to determine which options best fits your scenario. This includes turning off all ActiveX controls from being run in Office to setting specific controls that won’t run in Office only, but allow them to load into Internet Explorer. This is very similar to the Internet Explorer Killbit, but for Office Applications only.

For Office 2007, it is very similar to 2010 Configure Security settings for ActiveX controls points out how you can disable ActiveX controls across all of Office. In MS10-036 we did the work to have the ability to prevent controls from loading within Office only.

MS10-036 also provided us the opportunity to update 2003 as well. After installing MS10-036 you will have the ability to create the Office Killbit list again using the steps listed in KB2252664.

Thank You,

Modesto Estrada