 |  |  |  |  |  |  |  |
Visual Studio zero-day exploit code in the wild
Microsoft has issued an advisory warning about a Visual Studio 2005 vulnerability in the WMI Object Broker ActiveX control, part of WmiScriptUtils.dll which could allow remote arbitrary code execution.
The WMI Object Broker ActiveX control will circumvent the ActiveX security model, because it is marked as being ‘safe for scripting’ which should mean that it will not do anything that could damage the system or weaken security. Which should mean that it is safe from being controlled by a web page script calling its methods. Shoulda, woulda coulda. As US-CERT explain “the WMI Object Broker ActiveX control includes a method that can create an instance of an ActiveX control that exists on the system. The ActiveX objects created in this manner will bypass the ActiveX security model. For example, the "kill bit" and "safe for scripting" options are ignored.”
As usual, for Microsoft this means investigating reports of proof of concept code, although it admits that it is also looking at what it refers to as “the possibility of limited attacks that are attempting to use the reported vulnerability.”
Limited, I would imagine, by the fact that Visual Studio 2005 for Windows has a fairly small user base in the overall scheme of things.
Thankfully, Internet Explorer 7 disables the relevant ActiveX control be default, so as long that default has not been changed (the control can be activated through the ActiveX Opt-in feature in the Internet Zone) the browser is not vulnerable. Indeed, users running Visual Studio 2005 on Windows Server 2003 or Windows Server 2003 SP1 in the default configuration, and the Enhanced Security Configuration on, are not affected by the vulnerability either. And, there is always the requirement to visit an attacker’s website to take into consideration as well.
So limited scope, but as WebSense told me “nevertheless, this is a serious zero-day attack with live exploit code in the wild. We recommend that all Visual Studio users take the proper steps to mitigate their exposure to this attack.” Indeed, any zero-day exploit that enables arbitrary code execution has to be treated at face value, if successful the affected system could be completely compromised.
Yet despite all this, don’t expect a speedy response from Microsoft who have stated that “a security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.” So that’s another item for the Patch Tuesday list, at some point in the future then.
In the meantime, US-CERT recommend disabling ActiveX controls in the Internet Zone or any zone used by an attacker as being the only way to prevent exploitation of the vulnerability.
The WMI Object Broker ActiveX control will circumvent the ActiveX security model, because it is marked as being ‘safe for scripting’ which should mean that it will not do anything that could damage the system or weaken security. Which should mean that it is safe from being controlled by a web page script calling its methods. Shoulda, woulda coulda. As US-CERT explain “the WMI Object Broker ActiveX control includes a method that can create an instance of an ActiveX control that exists on the system. The ActiveX objects created in this manner will bypass the ActiveX security model. For example, the "kill bit" and "safe for scripting" options are ignored.”
As usual, for Microsoft this means investigating reports of proof of concept code, although it admits that it is also looking at what it refers to as “the possibility of limited attacks that are attempting to use the reported vulnerability.”
Limited, I would imagine, by the fact that Visual Studio 2005 for Windows has a fairly small user base in the overall scheme of things.
Thankfully, Internet Explorer 7 disables the relevant ActiveX control be default, so as long that default has not been changed (the control can be activated through the ActiveX Opt-in feature in the Internet Zone) the browser is not vulnerable. Indeed, users running Visual Studio 2005 on Windows Server 2003 or Windows Server 2003 SP1 in the default configuration, and the Enhanced Security Configuration on, are not affected by the vulnerability either. And, there is always the requirement to visit an attacker’s website to take into consideration as well.
So limited scope, but as WebSense told me “nevertheless, this is a serious zero-day attack with live exploit code in the wild. We recommend that all Visual Studio users take the proper steps to mitigate their exposure to this attack.” Indeed, any zero-day exploit that enables arbitrary code execution has to be treated at face value, if successful the affected system could be completely compromised.
Yet despite all this, don’t expect a speedy response from Microsoft who have stated that “a security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.” So that’s another item for the Patch Tuesday list, at some point in the future then.
In the meantime, US-CERT recommend disabling ActiveX controls in the Internet Zone or any zone used by an attacker as being the only way to prevent exploitation of the vulnerability.
Similar Threads
- after upgarde vb6 code using visual studio 2008 (VB.NET)
- Visual Studio 2008 VB.Net Generating Custom Code For A Windows Form From User Input (VB.NET)
- Writing manageable UI code with Visual Studio (C#)
- Problem with Search code in Visual Studio 2005 (VB.NET)
- Visual Studio 6.0 or Visual Studio .Net 2003? (Windows Software)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
advertising age amd android apple avatar ballmer bluegene botnet browser business cellphone china chips crime data database development dos downloads economy email encryption energy enterprise facebook firefox games gaming google government hacking hardware ibm ibm.news intel intelibm internet iphone ipod itunes law linux mac malware marketing medicine memory microsoft mobile mozilla music news nintendo novell office openoffice opensource os pc phishing piracy porn privacy programming ps3 recession redhat research russia search security sex socialnetworking software sony spam sun supercomputer supercomputing survey technology trends trojan twitter ubuntu uk video virus vista web wii windows windows7 working x86 xbox xp yahoo youtube
