Microsoft warns of Visual Studio 2005 flaw

By

The Microsoft software used by programmers to develop web services is suffering from a serious zero-day vulnerability that is being actively exploited to execute remote code, the software giant announced in an advisory late Tuesday.


Visual Studio 2005 contains a flawed WMI Object Broker ActiveX control that is exploitable by a malicious website viewed on Internet Explorer (IE), vulnerability reporting firm Secunia said today in an advisory. The company rated the bug "extremely critical," its most severe rating.
"An attacker who successfully exploited this vulnerability could take complete control of the affected system," the Microsoft advisory says. "In a web-based attack scenario, an attacker would host a website that exploits this vulnerability."
However, in what the Redmond, Wash.-based company calls "mitigating factors," for the exploit to work, a user would need to follow a phishing link to reach the malicious website.
Users also are presumably safe if they are running IE 7 because the just-released web browser upgrade turns off the affected ActiveX control by default.
The vulnerability remains unpatched, but Microsoft said it expects to issue a fix in an upcoming security update. The next scheduled patch release is Nov. 14.
As a workaround, the Microsoft advisory suggests users set the kill-bit for the affected ActiveX control. The kill-bit is a feature that prevents ActiveX execution in a user's web browser.
Click here to email Dan Kaplan.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
flawmicrosoftofsecuritystudiovisualwarns

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?