Wednesday, November 01, 2006

Microsoft Security Advisory (927709)

Microsoft has issued a Security Advisory with regard to a vulnerability in Visual Studio 2005 which could allow remote code execution. In addition to the standard recommendation to keep anti-virus software up to date, note that this vulnerability is yet another reason to upgrade to IE7. The reason is that, by default, this ActiveX control is not a default setting in the ActiveX controls for IE7. Thus, only those who have approved this control via the ActiveX "Opt-in" feature are at risk.

"Microsoft is investigating public reports of a vulnerability in an ActiveX control in Visual Studio 2005 on Windows. We are aware of proof of concept code published publicly and of the possibility of limited attacks that are attempting to use the reported vulnerability.

Customers who are running Visual Studio 2005 on Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Visual Studio 2005 customers who are running Internet Explorer 7 with default settings, are not at risk until this control has been activated through the ActiveX Opt-in Feature in the Internet Zone. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports.

The ActiveX control is the WMI Object Broker control, which is included in WmiScriptUtils.dll.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs."

See Microsoft Security Advisory (927709) for complete details.

No comments: