Managing ActiveX Control Loading

Like other software programs, Microsoft ActiveX controls may contain vulnerabilities. Loading vulnerable ActiveX controls into Windows Internet Explorer can place your computer at risk. This article shows how to prevent Internet Explorer from loading vulnerable ActiveX controls. It also shows how to redirect such requests to load alternate, more secure ActiveX controls.

  • Blocking Specific ActiveX Controls from Loading
  • Redirecting Requests to Load Blocked ActiveX Controls
  • Related topics

Blocking Specific ActiveX Controls from Loading

When Internet Explorer is asked to load an ActiveX control, it scans the ActiveX compatibility registry settings for the control's CLSID. If Internet Explorer finds the CLSID, it uses the value of the corresponding Compatibility Flags setting to determine how to load the requested control. To prevent Internet Explorer from loading a specific ActiveX control, add the COMPAT_EVIL_DONT_LOAD (0x00000400) flag to the ActiveX Compatibility settings for the control.

Suppose, for example, that you learn that the fictitious Contoso control has a severe vulnerability. If the control's CLSID is {6072039A-3606-44F9-BAF7-A23CADA3A2AA}, the following registry settings prevent Internet Explorer from loading the control.

HKEY_LOCAL_MACHINE
   Software
      Microsoft
         Internet Explorer
            ActiveX Compatibility
            Compatibility Flags = (DWORD) 0x00000400

Note  The COMPAT_EVIL_DONT_LOAD flag is sometimes called the "kill bit" because it blocks (kills) a request to load an ActiveX control.

 

When calculating the value of the Compatibility Flags setting, remember to combine the values of all desired flags. If, for example, a Compatibility Flags setting already exists for the control you are trying to block, add the value of the COMPAT_EVIL_DONT_LOAD (0x00000400) flag to the existing value.

To remove the COMPAT_EVIL_DONT_LOAD flag from the compatibility settings for an ActiveX control, subtract the value of the COMPAT_EVIL_DONT_LOAD flag from the total value of the Compatibility Flags setting. This will preserve other flags that the control might require to run effectively.

For more information about supported compatibility flags, see the COMPAT reference page.

Redirecting Requests to Load Blocked ActiveX Controls

Internet Explorer can redirect requests to load blocked ActiveX controls to load alternate controls. The AlternateCLSID setting lets you specify the CLSID of a control to load instead of the one that was blocked. This helps defend from malicious websites that attempt to exploit vulnerabilities in older versions of ActiveX controls by loading a different version of the control than the site was expecting.

Suppose, for example, that the latest version of the Contoso control resolves the vulnerability that forced you to block it. If the CLSID of the new version is {B2D04A22-25BF-494F-81BF-791B7358F895}, the following registry settings redirect requests to load the older version to the CLSID of the new version.

HKEY_LOCAL_MACHINE
   Software
      Microsoft
         Internet Explorer
            ActiveX Compatibility
            Compatibility Flags = (DWORD) 0x00000400
            AlternateCLSID = (REG_SZ) {B2D04A22-25BF-494F-81BF-791B7358F895}

Internet Explorer only redirects requests for controls that have been previously blocked.

Note  In a reference to the mythological creature, the AlternateCLSID setting is sometimes called the "phoenix bit" because it enables controls that have been "killed" (blocked) to "live again" (load).

 

For help determining an ActiveX control's CLSID, use the OLE/COM Viewer (OLEVIEW) provided with the Windows Software Development Kit

KB: How to stop an ActiveX control from running in Internet Explorer