Group Policy ADM template to implement the workaround from Security advisory 973472


Hi everyone!


Axel here from the IE Team with a quick Group Policy ADM template to help implement workaround described in security advisory 973472. I am also including the .reg file and .adm templates for both x86 and x64 versions.


Please note:  This is an “as is” template, so feel free to tweak it as needed.



Important: This policy requires that you disable filtering in the group policy editor. See steps below on how to set this up.


How to load the Custom ADM Template?



  1. To start Group Policy, click Start and then click Run. In the Open box, type GPedit.msc or GPMC.msc if from a Domain policy and then click OK.

  2. Select Administrative Templates from the Computer Configuration branch.

  3. Right-click the Administrative Templates branch, and then select All Tasks.

  4. Select Add/Remove Templates.

  5. Click Add.

  6. Load the ADM templates.

Please note: Windows 2003, Windows XP will display the policy under: Administrative Templates > New Policy


Here is how you disable the Group policy filer:



  1. Right click on the Policy and select View > detail > Filtering

  2. Remove the check mark from the check box next to “Only show policy settings that can be fully managed”

  3. You should see the template now.


x86 ADM Template






;####################### Begin x86 adm setting  ###########################


CLASS MACHINE


CATEGORY “Group Policy workaround for KB973472, x86”


POLICY “MS 973472 Activex component {0002E541-0000-0000-C000-000000000046}”
KEYNAME “SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}”
EXPLAIN “Group Policy to disable CLSIDs outlined in the workaround section of kb973472”
VALUENAME “Compatibility Flags”
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY


POLICY “MS 973472 Activex component {0002E559-0000-0000-C000-000000000046}”
KEYNAME “SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}”
EXPLAIN “Group Policy to disable CLSIDs outlined in the workaround section of kb973472”
VALUENAME “Compatibility Flags”
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY


[strings]
kb973472=”kb973472″
kb973472=”Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution “


;####################### End of x86 adm setting  ###########################


x64 ADM Template






;####################### Begin x64 adm setting  ###########################


CLASS MACHINE


CATEGORY “Group Policy workaround for KB973472, x64”


POLICY “MS 973472 Activex component {0002E541-0000-0000-C000-000000000046}”
KEYNAME “SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}”
EXPLAIN “Group Policy to disable CLSIDs outlined in the workaround section of kb973472”
VALUENAME “Compatibility Flags”
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY


POLICY “MS 973472 Activex component {0002E559-0000-0000-C000-000000000046}”
KEYNAME “SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}”
EXPLAIN “Group Policy to disable CLSIDs outlined in the workaround section of kb973472”
VALUENAME “Compatibility Flags”
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY


[strings]
kb973472=”kb973472″
kb973472=”Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution ”


;####################### End of x64 adm setting  ###########################


x64 Registry key






Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
“Compatibility Flags”=dword:00000400


x86 Registry key






Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
“Compatibility Flags”=dword:00000400


We also have the above samples available to download here.


 


Regards,


The IE Support Team

ADM_KB973472.zip

Comments (3)

  1. dsmtoday says:

    These blog posts are nice, but few know about them and they are usually a day or two late.  Can you make this part of the security update itself?  How about making it an additional download for IT people much like the FixIt items for consumers?

  2. Anonymous says:

    This is not clear.

    You only choose the template OR the reg file, not both, correct?

  3. Anonymous says:

    The files sample were posted for your convinience, you can choose which method best suit you. Can use either the Custom ADM or the .Reg file.