Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Correction - Yahoo! Data Grid CLSID

Published: 2008-02-05
Last Updated: 2008-02-06 18:22:33 UTC
by Tom Liston (Version: 1)
1 comment(s)

Pretty much every news outlet appears to be reporting the incorrect CLSID for the Yahoo! Data Grid ActiveX component.  Alert reader Iain pointed this out to us.  It appears that the original mistake happened somewhere back in the chain of things and has simply been perpetuated...

The actual CLSID of the Yahoo! Data Grid: 5F810AFC-BB5F-4416-BE63-E01DD117BD6C
(ref: http://mep.music.yahoo.com/plugins/docs/webquickstart_page.html)

Almost all of the stories that we've seen have listed the CLSID having an extra "2" on the end.

And yes, I was bitten by the issue...  The programs that I wrote to set killbits used the incorrect CLSID.

So... I've gone back and altered the killbit setting apps.  The updated files are available at the links listed below:

The GUI version can be found here (KillBitGui-Feb08.exe - 4096 bytes - MD5: 9428b9c3778b68e768448ca52c7d8dfd)
The CLI version can be found here (KillBitCLI-Feb08.exe - 4608 bytes - MD5: 30c151ab6de460f5844e9b5826495911)

I'll also update older diary posts to reflect the correct CLSID because they have been linked from other sites.

(A big "thank you" to Iain for pointing this out...)

Tom Liston - Senior Security Consultant - Intelguardians

Keywords:
1 comment(s)

GUI Killbit App Available (UPDATE: CLI version too!)

Published: 2008-02-05
Last Updated: 2008-02-05 19:48:41 UTC
by Tom Liston (Version: 3)
0 comment(s)

I've put together a GUI killbit app that should easily allow you to set and clear the killbits for the ActiveX issues announced today.  It works like this:

  1. It first checks to see if any of the CLSIDs exist on your system
  2. If they do, it saves a copy of any values that you currently have set for "Compatibility Flags."
  3. It then updates its display to show you if the CLSID exists and if the killbit flag is set.
  4. To set the killbit, just check the box beside any ActiveX control that you want to keep from running and then click on the "Set" button.
  5. Our suggestion: set the killbit on all of the ActiveX control unless you have a really good reason for not setting it.  Set the killbit even if you don't currently have the CLSID on your machine (indicating that the ActiveX control isn't currently installed... you never know when they MIGHT get installed...)
  6. Keep a copy of this program around (or at least remember where you got it) in case you want to undo the settings.
  7. Unchecking a checked box and clicking on "Set" will either remove the CLSID completely (if it wasn't there to begin with) or will reset "Compatibility Flags" to its original value.

The GUI version can be downloaded here.
(KillBitGui-Feb08.exe - 4096 bytes - MD5: 9428b9c3778b68e768448ca52c7d8dfd)

I'll try to put together a command-line version of this program this evening and make it available here tomorrow (U.S. time...).

UPDATE: Ok... so I got it done early... the command-line version is here.
(KillBitCLI-Feb08.exe - 4608 bytes - MD5: 30c151ab6de460f5844e9b5826495911)
Run it with no command-line parameters for usage instructions.

UPDATE2: There was an error in all of the early reporting for the CLSID of the Yahoo! Data Grid.  I've updated these applications accordingly.  The new executables have been posted and the MD5s listed above have been updated. -TL

Tom Liston - Senior Security Consultant - Intelguardians

Keywords:
0 comment(s)
Diary Archives