In a Security Advisory from october 31st Microsoft reports that it is investigating a vulnerability in an ActiveX control in Visual Studio 2005. A Proof of Concept code exploiting the vulnerability has been published.

The ActiveX control in question is the WMI Object Broker, which is installed with Visual Studio 2005 on Windows. Only these users are vulnerable. Users running VS on Windows 2003 and W2003 Service Pack 1 in their default configuration, with Enhanced Security Configuration turned on, are not affected. IE 7 disables this ActiveX control by default, so users are not vulnerable while running Internet Explorer 7 under the default configuration - they only become vulnerable if they use the ActiveX opt-in feature in the Internet Zone. In any event users would need to visit a malicious web site to be attacked.

Successful exploitation could lead to full compromise. In the larger picture this is probably not a high-risk vulnerability because few people have Visual Studio running. However, for those that do, it is a serious vulnerability.

Some sources of further information below.

Related links: (Open in a new window.)
www.microsoft.com/technet/security/advisory/927709.mspx
www.securityfocus.com/bid/20843
www.websensesecuritylabs.com/alerts/alert.php?AlertID=688

View printable version (opens in new window)
Back