"It's an active attack that is unpatched," said Mike Dausin, security researcher at TippingPoint, which claims to have discovered the flaw about six months ago, before confidentially reporting it to Microsoft. Microsoft issued a security advisory Oct. 31.
Dausin, agreeing with the revised alert from Microsoft, said his company has witnessed hundreds of attacks from three or four Russian-based IP addresses exploiting the vulnerability, caused by a flawed WMI Object Broker ActiveX control in Visual Studio 2005.
"It's one of the few (Microsoft vulnerabilities) we've seen that is being actively exploited that we don't have a patch for, and that's scary," Dausin said.
The attack occurs when users of Visual Studio 2005, a Microsoft development platform, visit a malicious site via Internet Explorer (IE) that installs a backdoor malware downloader onto a user's machine, Dausin said.
"It will be unbeknownst to them that they have a virus downloaded on their computer," he said.
However, Microsoft stated in its advisory that users would need to follow phishing links to reach the malicious website and that they are likely safe from the bug if they are running IE7 because the just-released browser upgrade turns of the affected ActiveX control by default.
This is the second Microsoft flaw in as many weeks affecting ActiveX controls, used to enhance the functionality of IE.
"It's a way to glue on all different kinds of bells and whistles," Dausin said. "(ActiveX controls) don't have the vigorous code review that IE goes through before it's released. There's just a lot more code that can be glued onto IE that the IE team doesn't have visibility into."
The other flaw is caused by an error in the XMLHTTP 5.0 ActiveX Control, part of the Microsoft XML Core Services program, which lets customers who use Jscript, Visual Basic Scripting Edition and Microsoft Visual Studio 6.0 construct, validate and process XML-based applications.
Click here to email Dan Kaplan.
Microsoft warns of attacks on Visual Studio 2005 flaw
By Dan Kaplan on Nov 9, 2006 5:51PM