Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Visual Studio 2005 Remote Code Exploit, Actively Being Exploited InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Visual Studio 2005 Remote Code Exploit, Actively Being Exploited

Published: 2006-11-01
Last Updated: 2006-11-01 20:45:19 UTC
by John Bambenek (Version: 1)
0 comment(s)
Microsoft has issued an advisory on a remote code exploit in Visual Studio 2005 (CVE 2006-4704) in the WMI Object Broker control. The vulnerability can be exploited by getting the user to view a malicious web page with the exploit and it will allow an attacker to take full control of the system. Currently users running Windows 2003 with Enhanced Security Mode in the default configuration are not affected.  Also, users running IE 7 are not affected (as long as they do not opt-in to the particular ActiveX control).

There is also a kill bit that can be set to stop this vulnerability (place the following in a .reg file and apply it):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}]
"Compatibility Flags"=dword:00000400

This vulnerability is being **actively exploited**.  The advisory states that Microsoft is planning an update for this problem and it should go out in the next monthly patch cycle.

UPDATE: CERT has a notice up also.

--
John Bambenek
bambenek /at/ gmail (dot) com
Keywords:
0 comment(s)
Diary Archives