Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704) InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704)

Published: 2006-12-12
Last Updated: 2006-12-12 18:21:28 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This one is "highly critical". A working exploit is already available for Metasploit.

The WMI Object Broker is a special ActiveX control which is used by Vsiaul Studio 2005. An attacker would use a malicious web page to exploit it. You have to have Visual Studio 2005 installed in order to be vulnerable. The vulnerable file is WmiScriptUtils.dll.


As with other ActiveX features, Internet Explorer 7 will mitigate them somewhat as you have to "opt-in" to individual ActiveX controlls in order to use them. The restricted mode in Windows 2003 will turn off ActiveX as well, limiting exposure.

What you should do:
- On a client with Visual Studio 2005 installed: Patch now.
- On a client without Visual Studio 2005: you should not have this control.
- On a server:  Check if you are using the "Enhanced Security Configuration" for MSIE. The patch is unlikely to apply.

I do recommend upgrading to Internet Explorer 7 if you are regularly using Internet Explorer.

References:
KB927709
MS06-073
CVE-2006-4704
eEye Advisory
Keywords:
0 comment(s)
Diary Archives