Group Policy ADM template to implement the workaround from Security advisory 973472

Hi everyone!

Axel here from the IE Team with a quick Group Policy ADM template to help implement workaround described in security advisory 973472. I am also including the .reg file and .adm templates for both x86 and x64 versions.

Please note:   This is an “as is” template, so feel free to tweak it as needed.

Important: This policy requires that you disable filtering in the group policy editor. See steps below on how to set this up.

How to load the Custom ADM Template?

  1. To start Group Policy, click Start and then click Run. In the Open box, type GPedit.msc or GPMC.msc if from a Domain policy and then click OK.
  2. Select Administrative Templates from the Computer Configuration branch.
  3. Right-click the Administrative Templates branch, and then select All Tasks.
  4. Select Add/Remove Templates.
  5. Click Add.
  6. Load the ADM templates.

Please note: Windows 2003, Windows XP will display the policy under: Administrative Templates > New Policy

Here is how you disable the Group policy filer:

  1. Right click on the Policy and select View > detail > Filtering
  2. Remove the check mark from the check box next to "Only show policy settings that can be fully managed"
  3. You should see the template now.

x86 ADM Template

;####################### Begin x86 adm setting  ###########################

CLASS MACHINE

CATEGORY "Group Policy workaround for KB973472, x86"

POLICY "MS 973472 Activex component {0002E541-0000-0000-C000-000000000046}" KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}" EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472" VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF NUMERIC 0 END POLICY

POLICY "MS 973472 Activex component {0002E559-0000-0000-C000-000000000046}" KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}" EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472" VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF NUMERIC 0 END POLICY END CATEGORY

[strings] kb973472="kb973472" kb973472="Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution "

;####################### End of x86 adm setting  ###########################

x64 ADM Template

;####################### Begin x64 adm setting  ###########################

CLASS MACHINE

CATEGORY "Group Policy workaround for KB973472, x64"

POLICY "MS 973472 Activex component {0002E541-0000-0000-C000-000000000046}" KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}" EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472" VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF NUMERIC 0 END POLICY

POLICY "MS 973472 Activex component {0002E559-0000-0000-C000-000000000046}" KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}" EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472" VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF NUMERIC 0 END POLICY END CATEGORY

[strings] kb973472="kb973472" kb973472="Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution "

;####################### End of x64 adm setting  ###########################

x64 Registry key

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}] "Compatibility Flags"=dword:00000400

x86 Registry key

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}] "Compatibility Flags"=dword:00000400

We also have the above samples available to download here.

 

Regards,

The IE Support Team

ADM_KB973472.zip

Comments

  • Anonymous
    July 14, 2009
    These blog posts are nice, but few know about them and they are usually a day or two late.  Can you make this part of the security update itself?  How about making it an additional download for IT people much like the FixIt items for consumers?
  • Anonymous
    July 23, 2009
    This is not clear.You only choose the template OR the reg file, not both, correct?
  • Anonymous
    January 08, 2010
    The files sample were posted for your convinience, you can choose which method best suit you. Can use either the Custom ADM or the .Reg file.