More issues with the Video ActiveX Control flaw workaround

My previous posting posed some Questions about the Microsoft Video ActiveX Control bug, the latest critical zero day flaw for Windows XP and Server 2003 users.

The good news is that Microsoft has a simple workaround, that they claim disables the buggy code. The bad news is that we have to take the fix on faith, there is no easy way to test that the workaround really works.

In part this is because 45 different entries in the registry get modified and the source code for the registry updating is not supplied. In addition, Microsoft has no safe "tester" page that you can view to verify that the buggy code is really disabled.

But, according to the July 6th posting on Microsoft's Security Research & Defense blog, the most important entry that gets modified in the registry is

0955AC62-BF2E-4CBA-A2B9-A63F772D46CF

located in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

The registry modification sets a kill bit, which prevents the vulnerable ActiveX control from running. According to the security advisory, the safe setting for this registry entry is

Compatibility Flags=dword:00000400

This is easily audited, so I set out to see what the initial value for the Compatibility Flags field was, run the zap and verify that it changed correctly. Then I was going to run the undo zap and verify that the Compatibility Flags were back to their initial settings.

Boy, was I was in for a surprise.

On an XP SP3 machine that hadn't been updated in a while, there was no registry entry for

0955AC62-BF2E-4CBA-A2B9-A63F772D46CF

at all. The Security Research and Defense blog posting implies that all vulnerable machines have this registry entry. Is a machine without this registry entry safe or at risk?

I like Windows XP and have quite a few XP based computers at my disposal. So I went looking for one with this registry entry. An XP SP2 machine had no such registry entry. An XP SP3 machine, up to date on patches and with very little software installed, also had no such registry entry. The next three XP SP3 machines that I checked also did not have the registry entry.  

Finally, my old laptop had the targeted registry entry. I had installed the workaround by running MicrosoftFixit50287.msi and could now verify that the kill-bits were on. So, I made a restore point, and then ran the undo of the workaround (program MicrosoftFixit50288.msi).

The registry entry disappeared.

Restoring the system to the restore point I took before running  MicrosoftFixit50288.msi, restored the registry entry. Then, restoring the system to the restore point created by the original workaround (program MicrosoftFixit50287.msi) removed the registry entry. 

So, what the blog posting failed to mention is that the important registry entry does not exist until you run the workaround program (MicrosoftFixit50287.msi).

I also ran MicrosoftFixit50287.msi under Sandboxie to see if it made any changes to the system other than modifying the registry. It does not.  

NOTE: Updated from original published version.