Microsoft has issued an advisory warning about a Visual Studio 2005 vulnerability in the WMI Object Broker ActiveX control, part of WmiScriptUtils.dll which could allow remote arbitrary code execution.
The WMI Object Broker ActiveX control will circumvent the ActiveX security model, because it is marked as being ‘safe for scripting’ which should mean that it will not do anything that could damage the system or weaken security. Which should mean that it is safe from being controlled by a web page script calling its methods. Shoulda, woulda coulda. As US-CERT explain “the WMI Object Broker ActiveX control includes a method that can create an instance of an ActiveX control that exists on the system. The ActiveX objects created in this manner will bypass the ActiveX security model. For example, the "kill bit" and "safe for scripting" options are ignored.”
As usual, for Microsoft this means investigating reports of proof of concept code, although it admits that it is also looking at what it refers to as “the possibility of limited attacks that are attempting to use the reported vulnerability.”
Limited, I would imagine, by the fact that Visual Studio 2005 for Windows has a fairly small user base in the overall scheme of things.
Thankfully, Internet Explorer 7 disables the relevant ActiveX control be default, so as long that default has not been changed (the control can be activated through the ActiveX Opt-in feature in the Internet Zone) the browser is not vulnerable. Indeed, users running Visual Studio 2005 on Windows Server 2003 or Windows Server 2003 SP1 in the default configuration, and the Enhanced Security Configuration on, are not affected by the vulnerability either. And, there is always the requirement to visit an attacker’s website to take into consideration as well.
So limited scope, but as WebSense told me “nevertheless, this is a serious zero-day attack with live exploit code in the wild. We recommend that all Visual Studio users take the proper steps to mitigate their exposure to this attack.” Indeed, any zero-day exploit that enables arbitrary code execution has to be treated at face value, if successful the affected system could be completely compromised.
Yet despite all this, don’t expect a speedy response from Microsoft who have stated that “a security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.” So that’s another item for the Patch Tuesday list, at some point in the future then.
In the meantime, US-CERT recommend disabling ActiveX controls in the Internet Zone or any zone used by an attacker as being the only way to prevent exploitation of the vulnerability.