Application Development - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Application Development


Microsoft Confirms Critical Visual Studio Zero-Day



 By: Ryan Naraine
2006-11-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Application Development story.


Rate This Article:
Poor Best
An "extremely critical" vulnerability in Microsoft's Visual Studio 2005 could put users at risk of remote code execution attacks. Pre-patch workarounds are available.

An "extremely critical" vulnerability in Microsoft Visual Studio 2005 could put users at risk of remote code execution attacks, the company confirmed Nov. 1.

The Redmond, Wash., software maker issued a security advisory with pre-patch workarounds and warned that the flaw is already being used in zero-day attacks.

"We are aware of proof of concept code published publicly and of the possibility of limited attacks that are attempting to use the reported vulnerability," Microsoft said in the advisory.

Visual Studio 2005, formerly known as "Whidbey," is an integrated development environment that offers a suite of tools to help programmers build software, Web sites, Web applications and Web services. It is the latest version of Microsofts developer tools and includes Visual Basic, Visual C++, Visual C# and visual J#.

Resource Library:

Click here to read more about how zero-day attacks are linked to corporate espionage.

According to Microsoft, the vulnerability is caused due to an unspecified error in the WMI Object Broker ActiveX Control (WmiScriptUtils.dll), which is used by the WMI Wizard in Visual Studio to instantiate other controls.

The company said an attacker could use the flaw to "take complete control of the affected system." In a Web-based attack scenario, Microsoft said a hacker could host a malicious Web site and use social engineering tactics to lure visitors. "It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems," the company said in its advisory.

Workarounds

Microsoft has recommended various workarounds to help mitigate the risks. They include disabling attempts to instantiate the ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

The company also recommends that Visual Studio 2005 users configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Instructions on applying the workarounds can be found in the security advisory.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Microsoft Confirms Critical Visual Studio Zero-Day
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Application Development Articles          >>> More By Ryan Naraine
 


x}v㶒s{̎Szɶ֎my[v:ҡ(HbL$e[OˬOt%_:v6ITP(7~vv~/Iֆ5&pfRþGuIjy|o I=Wevԭg ѩizц]3Ui76v#<c)oD&/hԎhTa@Y2x[c:&׳1ԓm͍Q21X-kHQ:)֐N:4MZP8$PKE!@<457(>-_TYSqcb/$Ͼ0IQIb[@a4|wHBc 3I5O_FBQ Mg% a˗b`4<l.* ~- :۱kϬ!&&9a#M P&:ާ4ja[ZdQ=m9em3toseݼR@*JP)Az' kh{a l'wzusWUE9^Ϯ2(Ԭ[` mKq5M-Ns#q@α[A~$Fj}& D|\(Ԧq&i>'4t<_Bn,>@JI/|%rP<(ZS KǹY̎kxfV҈ g|^9@f9jz'򳹥uk]_]-k][>ߘecfy3+U~(#3ؕgxg[:nNOn9nڗ'.9\qɞNt8,O/k*}k! z&b U t4<[VKR>qUL|(u}L2,ewB~9]Czfyj ͔edB_X]+ţJ0êy >!%9)"-kh:2P;LY^}E#nVӄjC>r‡)5%qW7hr VϠ蟉 Wm48@rPYUۅ RR|@@5.\D7+Ԕٛ"K;z:!ɠ ڴb{\g4! &MЀ04حL)_bH=S9z&z4Hݠh&];T[M6PCh>um'6($@=90Plv60L0g:%V\IQo ' dRJ 4G!-i]R@Az68 -,rr4  "!|K%6Nc@PGҹ=RTD;7 Kń=*)nqR3٘,%1L&t]_5yG,D`v9J,L.Y ϴ6jԍebQA O5&F#C7` 3G ]= #0 S0؂2>9?f!s WQ c=3 "ݲ%st08.fFZ1jػ?0q}a^ s9hwtݰyBS '$tT@h ] H8M{z9ia`(Lq[riۂfi8ȃ=5p rPfШ||=厬mT@>J|zS.z: $r%vxU i!SL&Zeon<Gy9&+)\=PW +'+T1g0dz׆w |?m/n)hOaࣇV*lx3ː 3'JkX"lM 5_0ùbp\8>M?XľFCۜOC'an' [AHZ{|gTfBoa82L|߻3XH| )ՅA ,䧒\R |Dyc ԑq,YriL*{d}N>QȚ5'VO+_"5K΁4uD85]-OA%_hJv^ni^0*my.|<궇12q͝a8'mG:R)æ1S{`bi'{T'/łcǞ$o+:>#HIpHE1AxZkhp\x@\PZr>r7VDD06pl)UtlSm[hB x-X\ *'i[DFR}K]\>?CU^obx,"JPV"jSC-JT*8Ag7r#RO@PxǾ=yǿ3qrSo aOAPz~gn-&WڜqeTXex˘ZհlxTapU;ǐV81'&B1"GBtȂu!W5d0ջ5ubxH}#G BEWY)͙oP9\R4*SkP@xAܚ:z, HT00xt U=L:.AgW}RbZ> (C h`KxkXZCA=aSd}pp@l#Ra>*\O<,!c1s*? \xu8WX[?g`̦s`p1\An#\>ۙ#b*r>7~zip%ŜP\x` fzlhis-&?3OR-0ss>nz*%\.Y2-ctyێ{6s5>uGci-m+W^U;&P@hO \ k88D"$Ee"[ p$e l&SbRaok~n\T3(ky(G )>^nVɵZV/bIRTS(.>J&#UX)T%%~ͳIA%G֐he~6ESfb߯ͥشspw&= -4j(,sKbӔUϨl~d{m>Q ֐G v7 u5Qx\sҌd;~X^5tH"H eVΫՃcZB ϢpӁ9tOl~v@( F[uRħokkkhzk8>?bo0|5k>0L3H墪A R}#00C: &Շ|i.e[$r]W6_-JvE-HX;HHȗ9ɗw6Tכ[Ca*{o^&^S+cI`xQo`lBe\M1PsՇ~ZV^-A ED@+n}6?% ?S-k8gMX2[BKD^)ΛIT}ڹI͋C<4qu4 _u^sykFZg0L@?|?* І_ICRDj_4߷ŠCLY2e'A*$`ܰW#IkߏԳ"yrҾ|/]2 yl`>8AN׹p.ۗ%y皟ԫeK:\[wj.THCBȧ5@k3d4)M !f}xH/ ^!u Be\:'k,zak5c5΅Hgoʶ'07 e]Ey8aZ(owާe|_#I^Ӌ_+7 rE5p!!BN L9Wbm[Op78 cdA(c[~(I[ɨv)i9rj :)O:6pNk'q^e=lI2 Kh7Q39ui9[Urs@Xƻ{:g^%[׍H ϝMY+D$/i\A1` ,G7Dh <J[ >CTո F[YU~%b. yO0Hv吜bn=Dj"2KIsa;;[@)s^X 2k=(~ ܳ,d:];7O>-z|oIU2GzqT1;.`\Q=w6}Bjnvˑ;^\BzZTrc qm'X>ucaByc18a!r!iZפywj`|%e,H'RНu/Ռ. w낯G; *;c#g䜁Z:E5bKf ٽ{)SV$[ֲeEb37tVPcf;q6ӱ$By5v*lio {r9/sᔤˮdv“ɄX^ OFXd׭ 0d&qKfΖ]w5=f1v{]3W,^GY& ~ ]ݧ)OpQ8Pžֳ,$R骏\ⲋD1.Ʋd/J)G)ϣE u OK41ڬ-~ Fuo&u:M]kn1Fƃ`69xf ٮGTga=VJ=`ˤ,^VO8_^bj <ބ<2`k#rb[&ð`mQ{ =,L4_ 7{Ԓ/B#ѩaigwD'|ٶ OE@1>[l!Xf:F3Iw$OP 3.mkj^G4}5Nc 丹\Cd0U>RFer)<7h,R<%Q$^/z7v9|1Ɉ '1b%o9:Ϋ? zjVT,)eZLɮ@x?b@1ŀ2H d}.-AE hԓUj=8+J]DKg&"T)J1Eud%IC –8I_9 QRTQ*94i<U]\ŗyI-ŏp\y,%S!OM~#cPp YߐPke _f ml{+)#(M gC5 t43M2I]{JcblJބ$3 ,'@Vښ6l5)O/<ؔ˂݉HUVf=E+ɥXn3ZdPol_f[R%)k^c(փsi)2@eHkjRWa' >B"B@mnlY`K^UeS^*y_7mKEmǽ Uy:CWU/4CsLSK1f7H7Ё}/57"/8H@'XC!JhdrA]`A_^4ˣ7񯴎XLc/z/Vۅeeee_-[)e#Vȹ .G8DB%K%~̖\& )_;$gx}'C<^~4׏}oᘪ_>{6bƆ7䇗:;9/`GY+id^o8$ B4!n@H\\LVVxoocy7_6+h\j&Ak:gm+9sg]]z ۥHԍڅg\n[&OY.lb2О/M"m s]$&尧6P]oހ^<=GN!Y & PC-;[N7Q1n8{7~ʾZW,DjNNz}yLZ?9q̓4<!pƻ|N} "^tAi'٫Yx1\Mݏ .آ 7@y tuM|'x#o?Į%>AX#J:yw;{cخY~WTsb2A$RD* p/\(l^wF =vdžrϗٝ툭zAsǺax'SWG˸qVM~_Htb`qg$PVh ['*|dy$ ۯP^ TiRWNxf^aDNsQ]bP4 b}WF؃=%مA ,q'YEεDjFQuENu1'׵ R`%dl\!/p.8ޘD P`r⡏`A?(ҐˤPFpxAvz/sDo*7 B +)5m1vLWK.k*_ |^Km$5D`#\NgVpЩ HۡD[*%н^ ,@jmu ǸfWn~ξ6ŶWbmJۅ]aIJ %'099,2}a"<:Iס0 ?R)&7~uz.9`V>0oIi }P /aUh9&Mz(hdL(ZxgG c  D)bUdw_~z*\'ܵ5\7{qB djod}ixpmJbkdqnmMC- &=^8 :nA/Wji~ Nd>hTӑ5 /`.=$wz̥7b?= M8}AYeiW7˭mD['ɅC{ib!3 @|0\Ǎە lM뵮aE32>B`#whMmNأB]LNANl0V)zg~rM=8'6V>\o|HjC75|$rEhC9Ҕ ח]@)`Xw$u2̀ ,Z*㊌F2*m&nI79mNb-vœ5"$ c#מ\F$ ш!&"36"|M;7c}%o@$P` +vdcF.\|9g{5 S|=?~?э )Asa8mf)'6X`kleb wEU]ѦNͯOpUGNl05|݀sPk7 6t`Q(;&<ɏT-ݜ(q.%Lk,}SB<_9ω  k!ķ놫zgb螌Cbh),fLWT| Lꪂ_JBve Zϗb/( ;H;Z+I)xPHj gPȼ{xu1&u1h^]"k$׭~8_z%9jwnֵmAǗjQqiuuݾe·_sme1|Q)3 4eŮj&\ ³!.iSU9$xC_0=4e<5k$ڽG(%lFyіU1o0yL7ON[ݮN(׆]}z,ǫx]j8Q꾠M/}g*4]0684SHnu#VԼT<vѮq?E " >"@\)_^E ^?AYJ? )~{ҿ ?)s wh'?I/WW)qR_\O)z)YC }i>>oҁoRI&c$CLN_OpRKQ ʠ/W@a uy~)@z LI2LcR\.dL {)j[[?;'yF]a))kkZ1tuחG{1Ph +[yHL+g٘@{#uO'NW|7oy~5mֽbr-XѧZ}5^93ga'Wih _3AӦ{dޗ||֥8cNtKYȘkWT+SyKy>{S3 =*%6. zٍ-v\ xLxnr}NEÕx8w;]jX•m9q}2ىپKh ߊƄY-J C/c H;ayt?bze|&Hy޿jolZ/'S<{MgLX@$p z W@jeR >Sx wMMѼk~54]MtBGm m{ Ɵ6릁{G$R|~˕R}#\#tMD+U9J]LUAX,Jg /($@%X̗7xP#xC9=va*0VqBDK"ұWF[úQ, tnR͍p^Wv$@=` @ ;3S WK 9x=wqo{K8Aa%Kv۶tZ|𶁞dj/}`!qkQ%B4wmF=ƞ{<AWRWÏz TsF.4' \șPV=\xguL PXXKB`u ,jד53[nb汹Hn6ɐddY {g{]7'2>; }^C0吡|ů qm0.vm8 p6`x'>4.^`k,%sfF\'2 /&{J11-XicО(u$Vb f$Gҡx[%06)+xbQfmr{^f$JAmXشgCљ\ؗJoē}¹t8<[te"uqg3/~*"d`{O;B~n .zl{rPn2 醍%؉EGC϶hL/l~aWL1{+ȑ0‚m5uWezԤĶ"hH6g981#ϘmjcTz\xgȌAj'j :QEUXNՂ]%rF#31=qyU YT8R"?؅!znJ%6Kنx'X,HsԲx D|J`Nq/@9aMsD}>7[S2U)ւ_6Ogзǁ/[ى{KV/7j &L)-KqI&yHT%nDk1ߠ(b<%*`>=NX">l}'6}F5ӟH "@"d԰4KP˖0SF)f%NSxc{Exĵ#n|_Sbd:Σ@W (Yc4y Ll&ċԕU`7g~,3fCC:`0C3`V݀=7a$L9ˍ'/Asl2qc[  `zMKM>¥"\UXؐ(X_'A֎Ɇz"gw:G-\aH$x kyf#ţSW\4JP+r8Vw@8̙ LÛ~H2I$`<=fږ+샺iL0\e~m<3{(vk",@݆R]+Ke$Viv8ǩ V-x: y{VBȟat!L/1?c5VQڶ7G }] a[&n ۊuyӷmDs8o^3a[_<̿G64cbSLLڙDX<޲qW=?9z#l>n:9YʐW\ȏ,L [Z'][ma$/]d3hWRrcCvWж3E3<"@͎a*5`BLN7~ӣF<=%h7ۂ~\m˱Y)Ao,> []R*gZ 12%ol' Eb5R`$(Ϛ0~Ù"ۄ.wpbw(ͦ,1F A(ixxzT<1T>nBh1) b'kE2q-9*DX6~`͸M(j,6u!{lp145k<]x7wPv?[wmڟzT;oٍC?18CT|^-e?H4WVX|b1>6aɺqd1߱+3SA:u/h\EQX!5h@^yާ}dR芘@P[mG=ħ؍2f(`v>K󊒯HSd^+jm'xU0}\3+UzsζK.›7wCWطclg0*jYbPdIeEםswy}rA`|w-XeMQYŮ&_Iv"mxNpSУL:o暨 _GjA- --]13,ԭ!f`\p42Щ, AdMLv2/ ށ@40 6#,XD80QW$t{ŋm&`[=2s뿕JJ.e &^7 ˧ZlLGt- 1FLGWX^q* Lft@,%Kے-.Y-@BDr&VlI8Bid}jBx,h^ vB2`j fa!. I[ߨaH耟"K\q ֣T#aڃxwǏ27{b,j0gFH]p=̢ ʼnW]>{fxxͽ^DiAƀܴ1-f@LrlY mP=M4D6ֺ@š='c"_{o5zN #@PjehlD?d,zPH;p"GtN>i=80Ho!6pe=%+Hw!x;1)@t~"YIe Rd" ? m H=Y}hn+mI?Ydl<1Zp2 x<'7Y` IPS >4upn}m4&V7 Rvm'[Kq@S /r1K\U"z|YGx0 "7-N/ ᛸJEMǿ ޒ\pǢi9'>!ۿYKp~QKM̨=cN=`[^|l'q((8(|=qO ȿJ-H5w\&HD8~;6Ex&A5DK=atchfg.Ӱi|0;d p\4wh2ꒋGx\m)qU.np7C' Z dv{[+\CFeO:m^? Z} \ M,UJtۿC]KJTqy|j?H>wpUQם'RDS\y:'$!v w<9i_g AͼYD໡fD];pa^-X49߷[1&c qkɁR0nh! #C|ŭuJA> e Z6SLTʱ(pI17y8hb)\ <8D˰,t3썝) ^=