Microsoft Security Advisory 3118753

Updates for ActiveX Kill Bits 3118753

Published: January 12, 2016

Version: 1.0

Executive Summary

Microsoft is releasing a new set of ActiveX kill bits with this advisory. These ActiveX kill bits are included in the Internet Explorer cumulative update released on January 12, 2016.

This update sets the kill bits for the following third-party software:

  • IBM Endpoint Manager for Remote Control (version 9.0.1 and later) and IBM Assist On-site (version 4.0.0). The following Class Identifier relates to a request by IBM to set a kill bit for an ActiveX control that is vulnerable. The class identifier (CLSIDs) for this ActiveX control is:

    {D4C0DB38-B682-42A8-AF62-DB9247543354}

Recommendation. Please see the Suggested Actions section of this advisory for instructions on applying the update for specific versions of Internet Explorer.

Affected Software

This advisory discusses the following software:

Operating System Component
Internet Explorer 7
Windows Vista Service Pack 2 Internet Explorer 7[1]
(3124275)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7[1]
(3124275)
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7[1]
(3124275)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7[1]
(3124275)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7[1]
(3124275)
Internet Explorer 8
Windows Vista Service Pack 2 Internet Explorer 8[1]
(3124275)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 8[1]
(3124275)
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 8[1]
(3124275)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 8[1]
(3124275)
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8[1]
(3124275)
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8[1]
(3124275)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8[1]
(3124275)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8[1]
(3124275)
Internet Explorer 9
Windows Vista Service Pack 2 Internet Explorer 9
(3124275)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 9
(3124275)
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 9
(3124275)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 9
(3124275)
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 9[1]
(3124275)
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 9[1]
(3124275)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 9[1]
(3124275)
Internet Explorer 10
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 10[1]
(3124275)
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 10[1]
(3124275)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 10[1]
(3124275)
Windows 8 for 32-bit Systems Internet Explorer 10[1]
(3124275)
Windows 8 for x64-based Systems Internet Explorer 10[1]
(3124275)
Windows Server 2012 Internet Explorer 10
(3124275)
Windows RT Internet Explorer 10[1][2] (3124275)
Internet Explorer 11
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 11
(3124275)
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 11
(3124275)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 11
(3124275)
Windows 8.1 for 32-bit Systems Internet Explorer 11
(3124275)
Windows 8.1 for x64-based Systems Internet Explorer 11
(3124275)
Windows Server 2012 R2 Internet Explorer 11
(3124275)
Windows RT 8.1 Internet Explorer 11[1][2] (3124275)
Windows 10 for 32-bit Systems[3][4] (3124266) Internet Explorer 11
Windows 10 for x64-based Systems[3][4] (3124266) Internet Explorer 11
Windows 10 Version 1511 for 32-bit Systems[3][4] (3124263) Internet Explorer 11
Windows 10 Version 1511 for x64-based Systems[3][4] (3124263) Internet Explorer 11

[1] For information about changes in support for Internet Explorer beginning January 12, 2016, see Microsoft Support Lifecycle.

[2] This update is available via Windows Update.

[3] Windows 10 updates are cumulative. In addition to containing non-security updates, they also contain all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with the monthly security release. The updates are available via the Microsoft Update Catalog.

[4]Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update. Because of a Citrix issue with the XenDesktop software, users who install the update will be prevented from logging on. To stay protected, Microsoft recommends uninstalling the incompatible software and installing this update. Customers should contact Citrix for more information and help with this XenDesktop software issue.

The third-party products that this bulletin discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Note Windows Server Technical Preview 3 and Windows Server Technical Preview 4 are affected. Customers running these operating systems are encouraged to apply the update, which is available via Windows Update.

Advisory FAQ

Does this update replace the Cumulative Security Update of ActiveX Kill Bits (2900986)?
No, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (2900986) that is described in Microsoft Security Bulletin MS13-090. Automatic updating may still offer the MS13-090 update to customers regardless of whether or not they installed the Internet Explorer cumulative update. Customers who install the cumulative update also need to install the MS13-090 update to be protected with all the kill bits set in MS13-090.

Why is Microsoft announcing these new ActiveX Kill Bits in a security advisory when previous kill bit updates were released with a security bulletin?
Microsoft is announcing these new ActiveX Kill Bits in an advisory because the new kill bits described in the Executive Summary are third-party software.

What does the Internet Explorer cumulative update do to set the kill bits?
The update makes changes to the registry to disable the controls from instantiating in Internet Explorer.

Should I install this update if I do not have IBM Endpoint Manager for Remote Control (version 9.0.1 and later) or IBM Assist On-site (version 4.0.0) installed?
Yes. Installing this update will block the vulnerable controls from running in Internet Explorer and will protect your system from the vulnerabilities described in MS16-001.

Does this update contain kill bits that were previously released in an Internet Explorer security update?
Yes. Internet Explorer security updates are cumulative. This update includes kill bits that were previously released in an Internet Explorer security update.

Why does this advisory not have a security rating associated with it?
This update contains new kill bits for third-party controls. Microsoft does not provide a security rating for vulnerable third-party controls.

Suggested Actions

  • Install the applicable Internet Explorer cumulative update

    Microsoft encourages customers to install the applicable Internet Explorer cumulative update:

    • For systems running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1, install update 3124275.
    • For systems running Windows 10, install update 3124266.
    • For systems running Windows 10 Version 1511, install update 3124263.

Additional Suggested Actions

  • Protect your PC
    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated
    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (January 12, 2016): Advisory published.

Page generated 2016-01-12 15:49-08:00.