Image of Cortney & Jeremy

Using a GPO to set killbits for MS KB 972890 and 973472 domain-wide

by Jeremy L. Gaddis on July 13, 2009 · 3 comments

in Security

In case you haven’t been paying attention lately, Microsoft has recently released a couple of security advisories: 972890 and 973472.

Both of them are bad news — unpatched vulnerabilities allowing remote code execution. Microsoft has also stated in each of the security advisories:

We are aware of attacks attempting to exploit the vulnerability.

That’s bad news. At this time I’m writing this, the Internet Storm Center is already reporting more than two million infections in China alone.

While there are currently no patches, Microsoft has published workarounds for these issues. They involve setting a grand total of 47 killbits of Class Identifiers. This might be okay if you have only one PC and a couple hours to kill. For those of us who work in large organizations with hundreds or thousands of PCs, that’s just not feasible.

I have posted two administrative templates that can be used in group policy objects (GPOs) to automate this. They can be downloaded here:

For those who may not be used to using their own administrative templates to push out registry settings like this, I’ve recorded a video for you. I hope it’s helpful!

{ 3 comments… read them below or add one }

jlgaddis July 13, 2009 at 11:21 pm

Thanks to T2A1-mobile on freenode’s #dshield for pointing out that my link to the template for 973472 was actually pointing to the MS KB article. Fixed!


Tyler Thompson July 14, 2009 at 1:24 am

You might note that system administrators must download the latest KillBits update for ActiveX from Windows Update. I tried running the templates without realizing we hadn’t been updated to the newest release of KillBits and it didn’t work right :)

Thanks for the great utility!


MatthewD July 15, 2009 at 5:04 pm

Thanks for the templates and video – saved me a great deal of time!


Leave a Comment

Previous post:

Next post: