Killbit

The kill bit (also known as kill-bit or kill bit ) is an entry in the Windows - registry , the activation of software parts ( COM components, especially ActiveX elements) with vulnerabilities to prevent. The killbit supports a method of software engineering that was introduced in Microsoft operating systems (especially MSHTML ).

Demarcation

The kill bit is not a bit , but is a 4- octet great value named "Compatibility Flags" and the data type REG_DWORD in Windows - registry represents.

Application and mode of action

Software can support the underlying method by preventing the instantiation or execution of COM components despite other requirements if the following conditions are met:

There is an entry in the Windows - registry with a path, the following structure

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ ActiveX Compatibility \ CLSID

In the case of 64-bit operating systems, too

HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Microsoft \ Internet Explorer \ ActiveX Compatibility \ CLSID

Where CLSID stands for the identification number of the component .

Under this path the value "Compatibility Flags" is set to 0x00000400.

Software that supports the kill bit

example

Regedit with killbit entry

The ActiveX control with CLSID {73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A} has a "Compatibility Flags" entry in the Windows - registry with the value 0x00000400. See picture on the right. Since Internet Explorer supports this method, this ActiveX control is not executed, not even if the ActiveX control is embedded in an addressed HTML file (not to be confused with HTAs).

Solution for locked components

If a developer delivers a new, corrected version of his Active-X component blocked by a kill bit, he has to give it a new CLSID. The so-called Phoenix bit is used so that websites and applications can now use this new version even though they only know the old CLSID. This is another registry entry in the same place that defines an alternative CLSID for the blocked component - the CLSID of the new version. This registry key HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Active-X Compatibility \ <CLSID> contains the entries for the kill bit ("Compatibility Flags = 0x00000400 (1024)") and the Phoenix bit ("AlternateCLSID = <new CLSID> ") included.

Individual evidence

↑ ^a ^b ^c ^d ^e ^f ^g ^h Technet article "The Kill-Bit FAQ: Part 1 of 3" Description of the registry paths, entries and their scope
↑ Technet article "The Kill-Bit FAQ: Part 2 of 3" Description of the Phoenix-Bit

[RegPath-1] ↑ ^a ^b ^c ^d ^e ^f ^g ^h Technet article "The Kill-Bit FAQ: Part 1 of 3" Description of the registry paths, entries and their scope

[AlternateCLSID-2] Technet article "The Kill-Bit FAQ: Part 2 of 3" Description of the Phoenix-Bit