Security Settings for ActiveX controls and OLE objects in Office 2003 and in the 2007 Office suite

This article�contains pre-release documentation and is subject to change in future releases.�

This security update�lets users�control if and how ActiveX controls and OLE objects load with a Microsoft Office kill-bit list. For more information about the Windows Internet Explorer kill-bit behavior that this feature is based on, and this includes how to set AlternateCLSIDs that allow updated ActiveX controls to load, see�How to stop an ActiveX control from running in Internet Explorer.

The following advisory article discusses�vulnerabilities in the Active Template Library (ATL) that could allow remote code execution.
�
All the features in the advisory article can be used to help reduce these ATL vulnerabilities. Additionally, specific ATL mitigations�are discussed in this security update.

This security update applies to Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio.

Office COM Kill Bit

You can also use the Office COM kill bit that was introduced�in the security update in MS10-036 to prevent specific COM objects�from running within Office applications. These specific COM objects include ActiveX controls and OLE objects. Now, through the registry, you can independently control which ActiveX and OLE objects are blocked from running when you use Office.

Important notes

• If the Office COM Kill Bit is set in the registry for an OLE object, the object is not loaded, and the object cannot be loaded in any circumstance.
• In Office 2007, users receive�the following error message:
  
  
  References to external linked OLE files have been blocked.�
  
• In Office 2003,�users receive�the following error message:
  �
  Attempt to create a class object failed. Access Denied.
  
  �
  

To determine which CLSID is failing to load, use the Process Monitor�from TechNet.�Look for the Internet Explorer kill-bit setting in the Process Monitor log file.�
Note We do not recommend that you remove the kill bit that is set for a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical, and because of this, extreme care must be used when you unkill an ActiveX control.

You can add an AlternateCLSID (also known as a �Phoenix bit�) when you have to relate the CLSID of a new ActiveX control (and this ActiveX control was modified to reduce the security threat), to the CLSID of the ActiveX control to which the Office COM kill bit was applied. Office supports the AlternateCLSID only when ActiveX control COM objects are used.�

Note�The kill-bit list for Office takes precedence over�the kill-bit list for Internet Explorer. For example, the Office COM kill bit and Internet Explorer ActiveX kill bit may be set for the same ActiveX control. But the AlternateCLSID is only set on the list for Internet Explorer. In this scenario, there is a conflict between the two settings. In such instances, the Office COM kill-bit settings take precedence, and the control is not loaded.

Setting the Office COM Kill Bit

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: The location for setting the Office COM kill bit in the registry is as follows:
In this case, CLSID is the class identifier of the COM object. To enable the Office COM kill bit, you have to add the registry subkey together with the CLSID of the ActiveX control or OLE object that you want to block from loading. Also, you have to set the Compatibility Flag's REG_DWORD value to 0x00000400.��

For example, to set the Office COM kill bit for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24}, locate the following subkey, and add REG_SZ {77061A9C-2F18-4f38-B294-F6BCC8443D24} to the subkey:�In this case, the path is as follows:�When you add a subkey that contains the value of 0x00000400 to the {CLSID} key, the Office COM kill bit is set. The 64-bit and 32-bit objects and their kill bits are located in different registry locations.�

�For more information, visit the following Microsoft webpage to see the Kill-Bit FAQ:�

How to override the Internet Explorer kill-bit list for OLE objects

The Override IE kill-bit list option lets you specifically list which OLE objects on the Internet Explorer kill-bit list are permitted to be loaded within Office. Use the Override IE kill-bit list only if you know that the OLE object is safe to load in Office. Be aware that when Office checks the Override IE kill-bit list setting, Office also checks whether the Office COM kill bit is enabled. If the Office COM kill bit is enabled, the OLE object is not loaded.��

To enable the Override IE kill-bit list option, you must correctly categorize the OLE object. In the registry, if the subkey does not already exist, add a subkey that is called Implemented Categories to the CLSID of the COM object. Then, add a subkey that contains the Category ID (CATID) for OLE objects, {F3E0281E-C257-444E-87E7-F3DC29B62BBD}, to the Implemented Categories key.

For example, Internet Explorer may be set up to kill an OLE object, but you still want to use this object in Office. In this case, you must first look up the CLSID for that OLE object in the following location in the registry: For example, the CLSID for the Microsoft Graph Chart is {00020803-0000-0000-C000-000000000046}. Then, you must determine whether the key, Implemented Categories, already exists, or you must create the key if it does not exist. In this example, the path is as follows:Finally, add a new subkey for the CATID OLE object to the Implemented Categories key. The following is the path for this example:
Note�The Category ID (CATID) for OLE objects is {F3E0281E-C257-444E-87E7-F3DC29B62BBD}, and the braces ( { } ) must be included.�

How to disable ATL mitigations

WarningThis workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

We do not recommend that you disable the ATL mitigations unless it is absolutely necessary because these ATL mitigations cover a broad scope. If you disable the ATL mitigations, you might create security vulnerabilities.

To disable the mitigations that reference the ATL vulnerabilities, set the NoOLELoadFromStreamChecks�REG_DWORD to a value of�00000001 in the following registry subkey:


Note�If this registry subkey does not exist, you must create this registry subkey as a REG_DWORD type.

Disable scriplet controls for Office applications

After this security update is installed, you can disable scriptlets for Office applications and the Internet Explorer behavior is not changed.

To disable scriptlets for Office applications, set the Compatibility Flag's REG_DWORD to the value of 00000400 in the following registry subkey: