A new vulnerability in Microsoft Windows

According to the Microsft security advisory 926043, a flaw in the Windows shell could allow remote execution of code. This vulnerability was first published on 28th September and was updated yesterday 2nd October 2006 as the websites that exploit this flaw have been identified. The ActiveX control called Microsoft WebViewFolderIcon ActiveX control (Web View) has been seen to exploit this vulnerability that exists in the Windows Shell.

The effect of this vulnerability is limited in scope given that there is no automatic execution of code. You have to infact visit the malicious website to be affected. Since there is no way an attacker can force you to visit a particular website other than persuading or tricking you into clicking on a benign looking link that in fact redirects you to the attackers website, you should be pretty safe provided you follow the basic tenets of safe computing and browsing:

1. Keep you antivirus software updated
2. Do not click on links in emails from untrusted sources
3. Do not allow websites to install ActiveX controls on your computer without your consent
4. Do not login with an user with administrative credentials unless absolutely necessary

Microsoft suggests some workarounds to protect your computer before Microsoft releases a security update during its monthly patch cycle on 10 October 2006.

Workaround 1: Prevent Internet Explorer from running the Microsoft WebViewFolderIcon ActiveX control by setting the kill bit in the registry for the control. To set the kill bit in registry, paste the following lines in your favourite text editor and save the file with the extension .reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400

To apply this registry file to individual systems simply double click it to run it. If you are an administrator with many computers to patch in one or more Windows domains, you can use Group Policy to distribute the registry settings.

Workaround 2: Set the security settings for Internet explorer to prompt you before running any ActiveX Control. To set that in your Internet Explorer follow the steps listed below:

1. In Internet Explorer click on Tools --> Internet Options --> Security Tab
2. Click Internet and click on custom level
3. Scroll down to ActiveX control and plug-ins section and under Run ActiveX controls and plug-ins and click on either Disable or Prompt then click on OK.
4. Follow the same steps for Intranet zone and click OK to close the window.

The same settings again can be deployed to multiple PCs across Windows domains using Group Policies

What is Web view?

Web View is one of two different formats provided by Windows Explorer for viewing file and folder information. This feature allows users to preview documents in a thumbnail view before opening. In addition, information such as title and author is displayed.

Notice: By disabling the above ActiveX control, the websites that make use of ActiveX control will stop functioning correctly. In addition you will no longer be able to preview your pictures in thumbnails in Windows Explorer.

Warning: Only expert users should modify registry settings if at all. Incorrectly modifying the registry may create other problems or render your Windows installation useless. I don't guarantee that the incorrect settings will not harm your computer and accept no liability for your actions. The tip here provided is as is and should be used at your own discretion and caution. I have tested these out on my own computer and found to be working correctly.