Description: This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by setting a kill bit so that the vulnerable control does not run in Internet Explorer. Keep reading →

In Windows Vista, the ActiveX Installer Service (AxIS) lets a non-administrative user install an ActiveX control in Internet Explorer when the user visits a Web site. The ActiveX Installer Service determines whether ActiveX controls can be installed by checking whether the host URL that requests the ActiveX control installation is approved in the corresponding Group Policy setting. In this manner, administrators can configure the Group Policy setting to control the sites from which a user can install ActiveX controls.

Microsoft has released an update for AxIS. This update enables you to use wildcard characters when you try to add a host URL in the Group Policy setting. This makes it more convenient for you to configure the ActiveX Installer Service.

Microsoft is releasing a new set of ActiveX kill bits with this advisory. The class identifiers (CLSIDs) for these ActiveX controls are as listed in the Frequently Asked Questions section of this advisory.

This update sets the kill bits for the following third-party software:

• Microgaming Download Helper. Microgaming has issued an advisory and an update that addresses vulnerabilities. Please see the advisory from Microgaming for more information. This kill bit is being set at the request of the owner of the ActiveX control. Customers who require support should contact Microgaming. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Frequently Asked Questions section of this advisory.
• System Requirements Lab. Husdawg has issued an advisory and an update that addresses a vulnerability. Please see the advisory from Husdawg for more information. This kill bit is being set at the request of the owner of the ActiveX control. Customers who require support should contact Husdawg. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Frequently Asked Questions section of this advisory.
• PhotoStockPlus Uploader Tool. PhotoStockPlus has issued an advisory on a vulnerable control. Please see the advisory from PhotoStockPlus for more information. This kill bit is being set at the request of the owner of the ActiveX control. Customers who require support should contact PhotoStockPlus. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Frequently Asked Questions section of this advisory.

This update sets the kill bits for ActiveX controls addressed in previous Microsoft Security Bulletins. These kill bits are being set in this update as a defense in depth measure:

• Unsafe Functions in Office Web Components (328130), MS02-044.
• Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103), MS08-017.
• Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617), MS08-041.
• Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593), MS08-052.

Consider the following scenario. You try to deploy some ActiveX controls on a network. In order to deploy and update these ActiveX controls in a standard user environment, you use the ActiveX Installer service on the client computers. However, you may be unable to install the ActiveX controls in a standard user environment. Additionally, an event that resembles the following is logged in the Application log:

Log Name: Application
Source: AxInstallService
Date: Data
Event ID: 4100
Description: Failed to download ActiveX control

Note: This issue occurs only when you use NTLM authentication between the client computer and the proxy server. The issue does not occur if you use Kerberos authentication.

In this scenario, you must log on to the computer as an administrator and then install the ActiveX controls without using the ActiveX Installer Service.

Description: This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb. The security update addresses the vulnerability by setting a kill bit so the vulnerable controls do not run in Internet Explorer. Keep reading →

Description: This security update resolves one privately reported vulnerability for a Microsoft product. This update also includes a kill bit for the Yahoo! Music Jukebox product. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Keep reading →

When a Microsoft Visual Basic 6.0 modal form is displayed from a Microsoft ActiveX control in Windows Internet Explorer 7, you can still interact with Internet Explorer 7. This problem occurs when Internet Explorer 7 is in theater mode.

Consider the following scenario:

• A computer is running Windows Vista, Microsoft Windows Server 2003, or Microsoft Windows XP.
• In Windows Internet Explorer 7, you open a Web page that contains the OBJECT element.
• The CLSID attribute is missing.

In this scenario, Internet Explorer does not start to download an ActiveX control that is referenced in the CODEBASE attribute.

Consider the following scenario. You download an ActiveX control. You view the file properties for the control in the Downloaded Program Files folder. You click the Dependency tab in the Properties dialog box. In this scenario, the Size (bytes) field may not display the file size in bytes. Instead, the Size (bytes) field displays the file size as Damaged. This problem occurs if Windows Internet Explorer 7 is installed on the computer.

Note: By default, the downloaded ActiveX controls are stored in the C:\WINDOWS\Downloaded Program Files folder when you install the control.

Consider the following scenario. You develop an application that calls the CoGetClassObjectFromURL function to install an ActiveX control. A user who has the typical user rights and the typical permissions runs the application on a Windows Vista-based computer. In this scenario, you expect that the user can install an ActiveX control. However, the user is prompted to enter administrative credentials when the user tries to install an ActiveX control. Therefore, a user who does not have administrative credentials cannot install an ActiveX control.