Visual Studio 2005 contains a flawed WMI Object Broker ActiveX control that is exploitable by a malicious website viewed on Internet Explorer (IE), vulnerability reporting firm Secunia said today in an advisory. The company rated the bug "extremely critical," its most severe rating.
"An attacker who successfully exploited this vulnerability could take complete control of the affected system," the Microsoft advisory says. "In a web-based attack scenario, an attacker would host a website that exploits this vulnerability."
However, in what the Redmond, Wash.-based company calls "mitigating factors," for the exploit to work, a user would need to follow a phishing link to reach the malicious website.
Users also are presumably safe if they are running IE 7 because the just-released web browser upgrade turns off the affected ActiveX control by default.
The vulnerability remains unpatched, but Microsoft said it expects to issue a fix in an upcoming security update. The next scheduled patch release is Nov. 14.
As a workaround, the Microsoft advisory suggests users set the kill-bit for the affected ActiveX control. The kill-bit is a feature that prevents ActiveX execution in a user's web browser.
Click here to email Dan Kaplan.
Microsoft warns of Visual Studio 2005 flaw
By Dan Kaplan on Nov 1, 2006 4:30PM