ActiveX and CLSID {00000000-0000-0000-0000-000000000000}

[md usa spybot fan]

Could you please expand on "...to prevent the use of a null GUID/CLSID in ActiveX processes" a little bit?

Microsoft Knowledge Base Article - 240797

• How to Stop an ActiveX Control from Running in Internet Explorer
  http://support.microsoft.com/default.aspx?kbid=240797

Can you provide examples of specific threats that utilize all zero CLSIDs?

Although I did not find any ActiveX using that GUID, here are some threats that do that use that GUID:

• Commonname adware
  http://www.castlecops.com/tk3-CnbarI...nbabe_dll.html

• CoolWebSearch parasite variant
  http://www.castlecops.com/tk1186-msx...xslab_dll.html

• TencentAddressBar adware - bundled with the Tencent_QQ instant messaging client
  http://www.castlecops.com/tk35145-QQIEHelper02_dll.html

[drgeo7]

found this thread through google this morning and was amazed that someone else was looking at the same key we were.

what's the danger of having a null clsid on an activex control?

does anyone know if security changes for IE 7 fixes whatever that key is meant to protect us against?

[TxBarnstormer]

One side-effect of having the killbit set for the Null GUID is that Office applications may disable .Net add-ins like SharePoint workflows. It appears that all addins pass through the same safety check but since the .Net add-ins have no ActiveX Control/ClassId they get mapped against the Null GUID.