Group Policy ADM template to implement the workaround from Security advisory 973472
Hi everyone!
Axel here from the IE Team with a quick Group Policy ADM template to help implement workaround described in security advisory 973472. I am also including the .reg file and .adm templates for both x86 and x64 versions.
Please note: This is an “as is” template, so feel free to tweak it as needed.
Important: This policy requires that you disable filtering in the group policy editor. See steps below on how to set this up.
How to load the Custom ADM Template?
- To start Group Policy, click Start and then click Run. In the Open box, type GPedit.msc or GPMC.msc if from a Domain policy and then click OK.
- Select Administrative Templates from the Computer Configuration branch.
- Right-click the Administrative Templates branch, and then select All Tasks.
- Select Add/Remove Templates.
- Click Add.
- Load the ADM templates.
Please note: Windows 2003, Windows XP will display the policy under: Administrative Templates > New Policy
Here is how you disable the Group policy filer:
- Right click on the Policy and select View > detail > Filtering
- Remove the check mark from the check box next to "Only show policy settings that can be fully managed"
- You should see the template now.
x86 ADM Template
;####################### Begin x86 adm setting ########################### CLASS MACHINE CATEGORY "Group Policy workaround for KB973472, x86" POLICY "MS 973472 Activex component {0002E541-0000-0000-C000-000000000046}" KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}" EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472" VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF NUMERIC 0 END POLICY POLICY "MS 973472 Activex component {0002E559-0000-0000-C000-000000000046}" KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}" EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472" VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF NUMERIC 0 END POLICY END CATEGORY [strings] kb973472="kb973472" kb973472="Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution " ;####################### End of x86 adm setting ########################### |
x64 ADM Template
;####################### Begin x64 adm setting ########################### CLASS MACHINE CATEGORY "Group Policy workaround for KB973472, x64" POLICY "MS 973472 Activex component {0002E541-0000-0000-C000-000000000046}" KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}" EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472" VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF NUMERIC 0 END POLICY POLICY "MS 973472 Activex component {0002E559-0000-0000-C000-000000000046}" KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}" EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472" VALUENAME "Compatibility Flags" VALUEON NUMERIC 1024 VALUEOFF NUMERIC 0 END POLICY END CATEGORY [strings] kb973472="kb973472" kb973472="Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution " ;####################### End of x64 adm setting ########################### |
x64 Registry key
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}] "Compatibility Flags"=dword:00000400 |
x86 Registry key
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}] "Compatibility Flags"=dword:00000400 |
We also have the above samples available to download here.
Regards,
The IE Support Team