Microsoft is releasing a new set of ActiveX kill bits with this advisory. These ActiveX kill bits are included in the Internet Explorer cumulative update released on January 12, 2016.
This update sets the kill bits for the following third-party software:
IBM Endpoint Manager for Remote Control (version 9.0.1 and later) and IBM Assist On-site (version 4.0.0). The following Class Identifier relates to a request by IBM to set a kill bit for an ActiveX control that is vulnerable. The class identifier (CLSIDs) for this ActiveX control is:
{D4C0DB38-B682-42A8-AF62-DB9247543354}
Recommendation. Please see the Suggested Actions section of this advisory for instructions on applying the update for specific versions of Internet Explorer.
[3] Windows 10 updates are cumulative. In addition to containing non-security updates, they also contain all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with the monthly security release. The updates are available via the Microsoft Update Catalog.
[4]Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update. Because of a Citrix issue with the XenDesktop software, users who install the update will be prevented from logging on. To stay protected, Microsoft recommends uninstalling the incompatible software and installing this update. Customers should contact Citrix for more information and help with this XenDesktop software issue.
The third-party products that this bulletin discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Note Windows Server Technical Preview 3 and Windows Server Technical Preview 4 are affected. Customers running these operating systems are encouraged to apply the update, which is available via Windows Update.
Advisory FAQ
Does this update replace the Cumulative Security Update of ActiveX Kill Bits (2900986)?
No, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (2900986) that is described in Microsoft Security Bulletin MS13-090. Automatic updating may still offer the MS13-090 update to customers regardless of whether or not they installed the Internet Explorer cumulative update. Customers who install the cumulative update also need to install the MS13-090 update to be protected with all the kill bits set in MS13-090.
Why is Microsoft announcing these new ActiveX Kill Bits in a security advisory when previous kill bit updates were released with a security bulletin?
Microsoft is announcing these new ActiveX Kill Bits in an advisory because the new kill bits described in the Executive Summary are third-party software.
What does the Internet Explorer cumulative update do to set the kill bits?
The update makes changes to the registry to disable the controls from instantiating in Internet Explorer.
Should I install this update if I do not have IBM Endpoint Manager for Remote Control (version 9.0.1 and later) or IBM Assist On-site (version 4.0.0) installed?
Yes. Installing this update will block the vulnerable controls from running in Internet Explorer and will protect your system from the vulnerabilities described in MS16-001.
Does this update contain kill bits that were previously released in an Internet Explorer security update?
Yes. Internet Explorer security updates are cumulative. This update includes kill bits that were previously released in an Internet Explorer security update.
Why does this advisory not have a security rating associated with it?
This update contains new kill bits for third-party controls. Microsoft does not provide a security rating for vulnerable third-party controls.
Suggested Actions
Install the applicable Internet Explorer cumulative update
Microsoft encourages customers to install the applicable Internet Explorer cumulative update:
For systems running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1, install update 3124275.
For systems running Windows 10, install update 3124266.
For systems running Windows 10 Version 1511, install update 3124263.
Additional Suggested Actions
Protect your PC
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.
Keep Microsoft Software Updated
Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
As an Information Security Administrator, you plan and implement information security of sensitive data by using Microsoft Purview and related services. You’re responsible for mitigating risks by protecting data inside collaboration environments that are managed by Microsoft 365 from internal and external threats and protecting data used by AI services. You also implement information protection, data loss prevention, retention, insider risk management, and manage information security alerts and activities.