What is ActiveX Killbits?

What is ActiveX Killbits?
Page content

What is ActiveX?

ActiveX is a software component by Microsoft. Many software developers use ActiveX to enable their software to work with Windows or other components in Windows such as Internet Explorer, Windows Media Player, Microsoft Office, etc. If you have scanned your computer using an online virus scan, you’ve probably installed an ActiveX plug-in for Internet Explorer. Some content providers also use ActiveX, e.g. websites providing online games, online photo sharing, and photo albums. Below is an example of an ActiveX control installation prompt for Internet Explorer by the ESET Online Malware Scanner:

When you allow the installation of the ActiveX control or plug-in, a registry key with the below CLSID is also added in Windows Registry:

Unique identifier, CLSID of ESET’s ActiveX Control

What are ActiveX Killbits?

If any of these ActiveX controls becomes insecure due to vulnerability, a kill bit can be placed. The kill bit marks the ActiveX plug-in as unsafe to run or disables the ActiveX control. By adding a kill bit for a specific ActiveX control, the computer will not be able to display, run, execute, or load what the ActiveX plug-in has to do.

Microsoft is working with application vendors to help protect Windows customers in preventing insecure ActiveX controls by setting the “kill bit” and releasing a security update to apply the kill bit for specific ActiveX controls that are deemed unsafe. Microsoft also typically releases a security advisory about each collection of kill bit updates delivered through Windows Update. A recent example was entitled “Update Rollup for ActiveX Kill Bits.” Included in the update was:

  • Microsoft Security Advisory 969898 - affects ActiveX by Microgaming, eBay Advanced Image Upload Component and HP Virtual Room v7.0

  • Advisory 960715 on ActiveX for Akamai Download Manager and Research in Motion (RIM) AxLoader

  • Advisory 956391 affects ActiveX by PhotoStockPlus Uploader Tool and others

  • Advisory 953839 on ActiveX for HP Instant Support and Aurigma Image Uploader.

How to Add Kill Bits for ActiveX Controls

You can manually add a killbit for ActiveX control or use a third-party editor.

Manually Adding a Kill Bit

If you have installed the application that is using ActiveX, you will need to know the unique identifier for it, which is known as the CLSID. You can determine the specific CLSID when you view the properties of an installed ActiveX in your computer e.g. in a browser:

CLSID of ESET Online Scanner

Locate the CLSID for the specific ActiveX control in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CLSID here}

and then create a DWORD value with 0x00000400.

Warning: Before modifying the Windows Registry, create a backup of the registry. See Backing Up the Windows Vista Registry . (The article applies to Windows XP and Window 7 as well.)

To disable the kill bit, undo the changes you made for the specific CLSID or restore using the registry backup program.

Blocking a Kill Bit with a Third-Party Application

To use a third-party editor to add ActiveX kill bits, download SpywareBlaster. The program blocks unsafe ActiveX controls installed by spyware or adware programs, but you can also use its Custom Blocking feature to block or prevent specific ActiveX controls.

To disable a kill bit for ActiveX plug-in, simply use SpywareBlaster again and uncheck or delete it from the list of blocked ActiveX controls.