Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution


View products that this article applies to.

Introduction

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:

↑ Back to the top


Workaround

To work around this problem, use any of the following methods.

Note You must run the commands described in this article as an administrator. In Windows Vista and Windows Server 2008, you must run the commands from an elevated command prompt. To open an elevated command prompt, follow these steps:
  1. Click Start, type cmd in the search box, and then press ENTER.
  2. In the results list, right-click cmd, and then click Run as administrator.

Method 1: Use a System Access Control List (SACL) to disable OLEDB32.dll for fewer applications

This workaround resembles the "Use SACL entries to disable OLEDB32.dll" workaround that is described later in this article. This workaround is more selective about which applications are blocked from accessing OLEDB32.DLL. Internet Explorer is still blocked. However, most other applications are not. This has the benefit of protecting Internet Explorer from attack. However, it still enables other applications that depend on OLEDB32.DLL to function correctly.

To provide this kind of selective protection, this workaround relies on the fact that Internet Explorer runs with Protected Mode turned on by default. This means that the iexplore.exe process runs at a low integrity level. For more information about what this means and how this works, visit the following Microsoft Web page: The integrity mechanism makes it possible to block processes from writing to securable objects such as files that have a higher integrity level. It does this by applying a special integrity level entry to the SACL for an object.

Note It is also possible to block a process from being able to read or execute securable objects at a higher integrity level.

How to use this workaround

Notes
  • This workaround applies only to Windows Vista and later versions of Windows.
  • To use this workaround, Internet Explorer must be running with Protected Mode turned on. This requires that both Protected Mode and User Account Control (UAC) are enabled. This is the default setting. To determine whether Protected Mode is enabled, examine the Internet Explorer status bar.
To use this workaround, follow these steps:
  1. Save the following text to a temporary folder:
    • For 32-bit systems
      Save the following text to a text file that is named "BlockAccess_x86.inf":
      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
    • For 64-bit systems
      Save the following text to a text file that is named "BlockAccess_x86.inf":
       [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
      Save the following text to a text file that is named "BlockAccess_x64.inf":
       [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
  2. Open an elevated Administrator command prompt in the temporary folder.
  3. At the command prompt, type the following command, and then press ENTER:
    SecEdit/configure/db BlockAccess.sdb/cfg <inf file>
  4. After the command is finished, you should receive a message that resembles the following:
    The task has completed successfully.
    See the %windir%\Security\Logs\Scesrv.log file for detailed information.

How to validate this workaround

You can use the icacls command to determine whether the workaround was applied. To do this, use one of the following:
  • For a 32-bit operating system
    At the command prompt, type the following command, and then press ENTER:
    icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
  • For a 64-bit operating system
    At the command prompt, type the following commands, and then press ENTER:
    icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"

    icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
Every time that you run the icacls command, search through the output for the following line.
Mandatory Label\Medium Mandatory Level:(NW,NR,NX)
If the line is present and includes both the NR and NX values, the workaround has successfully been applied. However, if either the line is missing, or if one of the NR or NX values is missing, the workaround has not been successfully applied.

The effect of this workaround

This workaround affects only ADO/OLE DB applications that are running in Internet Explorer. This is not common. This workaround has minimal effect because all other processes that are running in Medium or higher integrity level would still be able to load and use OLEDB32.dll.

How to undo this workaround

To undo the workaround, follow these steps:
  1. Save the following text to a temporary folder:
    • For 32-bit systems
      Save the following text to a text file that is named "unBlockAccess_x86.inf":
      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
    • For 64-bit systems
      Save the following text to a text file that is named "unBlockAccess_x86.inf":
      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
      Save the following text to a text file that is named: "unBlockAccess_x64.inf":
      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
  2. Open an elevated Administrator command prompt in the temporary folder.
  3. At the command prompt, type the following command, and then press ENTER:
    SecEdit/configure/db UnblockAccess.sdb/cfg <inf file>
  4. After the command is finished, you should receive a message that resembles the following:
    The task has completed successfully.
    See the %windir%\Security\Logs\Scesrv.log file for detailed information.
Use the icacls command to verify that the workaround was removed. Then, you can safely delete the UnblockAccess.sdb and UnblockAccess.inf files. See the "How to validate this workaround" section of "Method 1" for more information about how to use the icacls command to verify that the workaround was removed.

Method 2: Disable the "Row Position" functionality of OLEDB32.dll

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To disable the "Row Position" functionality of OLEDB32.dll, delete the following Row Position registry subkey:
HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}

The effect of disabling the "Row Position" functionality of OLEDB32.dll

All ADO applications that use the RowPosition property and related information are affected. All OLE DB applications that use the OLE DB Row Position Library are affected. MSHTML is affected.

How to undo this workaround

Use the following registry file to restore the Row Position registry subkey:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}]
@="Microsoft OLE DB Row Position Library"
[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}\InprocServer32]
@="C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll"
"ThreadingModel"="Both"
[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}\ProgID]
@="RowPosition.RowPosition.1"
[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}\VersionIndependentProgID]
@="RowPosition.RowPosition"

Method 3: Unregister OLEDB32.dll

To unregister OLEDB32.dll, use one of the following.

Note You must run the commands as an administrator.
  • For supported versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 for 32-bit Systems
    At the command prompt, type the following command, and then press ENTER:
    Regsvr32.exe/u "Program Files\Common Files\System\Ole DB\oledb32.dll"
  • For supported versions of Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition, Windows Vista x64 Edition, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    Regsvr32.exe/u "Program Files\Common Files\System\Ole DB\oledb32.dll"

    Regsvr32.exe/u "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"

The effect of unregistering OLEDB32.dll

Applications that rely on OLE DB data access will not function.

How to undo this workaround

To undo this workaround, use one of the following.

Note You must run the commands as an administrator.
  • For supported versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 for 32-bit Systems
    At the command prompt, type the following command, and then press ENTER:
    Regsvr32.exe "Program Files\Common Files\System\Ole DB\oledb32.dll"
  • For supported versions of Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition, Windows Vista x64 Edition, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    Regsvr32.exe "Program Files\Common Files\System\Ole DB\oledb32.dll"

    Regsvr32.exe "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"

Method 4: Use SACL entries to disable OLEDB32.dll

You can use SACL entries to disable OLEDB32.dll. To do this, use one of the following.

Note You must run the commands as an administrator.
  • For supported versions of Windows 2000, Windows XP, and Windows Server 2003
    At the command prompt, type the following command, and then press ENTER:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/E/P everyone:N
  • For supported versions of Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition, and Windows Server 2003 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/E/P everyone:N

    cacls "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"/E/P everyone:N
  • For supported versions of Windows Vista and Windows Server 2008 for 32-bit Systems
    At the command prompt, type the following commands, and then press ENTER:
    takeown/f "Program Files\Common Files\System\Ole DB\oledb32.dll"

    icacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/save %TEMP%\oledb32.32.dll.TXT

    icacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/deny everyone:(F)
  • For supported versions of Windows Vista x64 Edition, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    takeown/f "Program Files\Common Files\System\Ole DB\oledb32.dll"

    icacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/save %TEMP%\oledb32.32.dll.TXT

    icacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/deny everyone:(F)

    takeown/f "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"

    icacls "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"/save %TEMP%\oledb32.64.dll.TXT

    icacls "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"/deny everyone:(F)

The effect of unregistering OLEDB32.dll

Applications that rely on OLE DB data access will not function.

How to undo this workaround

To undo this workaround, use one of the following:

Note You must run the commands as an administrator.
  • For supported versions of Windows 2000, Windows XP, and Windows Server 2003
    At the command prompt, type the following command, and then press ENTER:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/E/R everyone
  • For supported versions of Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition, and Windows Server 2003 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/E/R everyone

    cacls "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"/E/R everyone
  • For supported versions of Windows Vista and Windows Server 2008 for 32-bit Systems
    At the command prompt, type the following command, and then press ENTER:
    icacls "Program Files\Common Files\System\Ole DB"/restore %TEMP%\oledb32.32.dll.TXT
  • For supported versions of Windows Vista x64 Edition, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    icacls "Program Files\Common Files\System\Ole DB"/restore %TEMP%\oledb32.32.dll.TXT

    icacls "Program Files (x86)\Common Files\System\Ole DB"/restore %TEMP%\oledb32.64.dll.TXT

How to determine whether you are running a 32-bit or a 64-bit edition of Windows

If you are not sure which version of Windows that you are running, or whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe) and review the value that is listed for System Type. To do this, follow these steps:
  1. Click Start, and then click Run or click Start Search.
  2. Type msinfo32.exe and then press ENTER.
  3. In System Information, review the value for System Type.
    • For 32-bit editions of Windows, the System Type value is x86-based PC.
    • For 64-bit editions of Windows, the System Type value is x64-based PC.
For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base:
827218 How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system

↑ Back to the top


Applies to:

↑ Back to the top

Keywords: kbregistry, kbexpertiseinter, kbinfo, kbsecadvisory, kbsecurity, kbsecvulnerability, kbsurveynew, KB961051

↑ Back to the top

Article Info
Article ID : 961051
Revision : 6
Created on : 12/14/2008
Published on : 12/14/2008
Exists online : False
Views : 573