Kill Bit Action Process
ActiveX controls are small programs, sometimes called add-ons, that are used on the Internet. These controls may be developed by Microsoft or by third-party software developers.
If a software vulnerability is discovered in an ActiveX control, the owner of that control—Microsoft or a third-party developer—should resolve the vulnerability and release a new version of the control. In addition, a kill bit can be issued which can prevent the older, vulnerable version of the control from executing within Internet Explorer.
This page describes the processes by which Microsoft will issue a kill bit for a vulnerability in an ActiveX control and, if the control is owned by a third-party developer, the steps that the developer must take to ensure a kill bit can be issued.
What is a kill bit?
A kill bit prevents an ActiveX control from executing. It is a registry entry for a particular Class Identifier (CLSID) that marks an ActiveX control as non-loadable in the browser and other scriptable environments, preventing the code from being executed.
If a third-party ActiveX control contains a software vulnerability, the owner of the control should address the vulnerability, update the CLSID for their control and release a new version of the control. At that point, the third-party may request that Microsoft issue a kill bit which prevents the older, vulnerable version of the control being executed.
We will not issue a kill bit for a third-party ActiveX control until the third-party has addressed the vulnerability. However, in the event of significant attacks against the vulnerability, we may make exceptions to these requirements and decide to issue a kill bit after coordinating with the vendor as outlined in our Coordinated Vulnerability Disclosure practices.
Read the following Security Research & Defense FAQs blog posts for more technical information about kill bits:
How are vulnerable ActiveX controls discovered?
Vulnerabilities in ActiveX controls may be discovered through a variety of means:
When will Microsoft issue a kill bit?
If a software vulnerability exists in a Microsoft-owned ActiveX control, Microsoft will address the issue through well-established security update processes such as our security bulletins or security advisories. If the vulnerability exists in a third-party ActiveX control and has not been addressed by its owner, the Microsoft Vulnerability Research (MSVR) team coordinates with the owner of the control to help drive remediation.
Once the software vulnerability has been addressed, the third-party should revise the CLSID for their control and release an updated version of the control. At that point, if the owner requests that a kill bit be issued for their control, MSVR and MSRC manage that process and the kill bit is issued via the Microsoft security update release process.
Sometimes a vulnerability in a third-party control is reported or disclosed by a separate third-party. In these cases, MSVR will contact the owner of the control to confirm the issue and drive remediation work. During this process the control owner may request a kill bit for their control. MSVR will work closely with the owner of the control to help minimize disruption to users of the control.
Microsoft will not issue a kill bit for a third-party ActiveX control until the third-party has addressed the vulnerability. However, in the event of significant attacks against the vulnerability, Microsoft may make exceptions to these requirements and decide to issue a kill bit after coordinating with the vendor as outlined in Microsoft's Coordinated Vulnerability Disclosure practices.
Action steps for the third-party developer control owners
The following steps should be taken once a third-party becomes aware of a vulnerability in an ActiveX control that they own:
If the third-party requests that Microsoft issue a kill bit on their behalf, Microsoft will require the following information from the control owner:
For each ActiveX control please provide the following:
To request that Microsoft issue a kill bit for a vulnerable ActiveX control, the above information should be sent to email@example.com.
Read following Security Research & Defense FAQs blog posts for more information about kill bits and how Microsoft manages the process of creation and release.
Get inside information on how we manage vulnerabilities to help protect our customers.
Microsoft Security :: Security Incidents | Investigating Security Issues | Engineering