Exploit Out for Critical Microsoft Agent Flaw

By Lisa Vaas  |  Posted 2007-09-13 Print this article Print

An exploit attacks a critical Microsoft Agent vulnerability less than 24 hours after the patch came out.

An exploit that attacks a critical Microsoft Agent vulnerability was published less than 24 hours after Microsoft released a relevant security advisory in its Sept. 11 Patch Tuesday set of releases.

The security advisory for Microsoft Agent, MS07-051, was the only critical release out of four security advisories. It addresses a vulnerability whereby the Microsoft Agent—a set of software services for developers to enhance the user interface of Web-based applications—can get hoodwinked by a malicious URL and can then be used to take over a targeted system without ever appearing to the user.
Microsoft Agent (agentsvr.exe) is prone to the stack-based buffer-overflow vulnerability because it fails to adequately bound check user-supplied data. The issue occurs when the "agentdpv.dll" ActiveX control processes maliciously craft URLs, resulting in memory corruption.
If the exploit succeeds, the attacker gains system control. If it fails, a denial-of-service occurs. Symantec has exploit code available to members of its Immunity Partners Program. Click here to read more about a tool for rapidly writing flaw exploits. Proof-of-concept code is also available here. For users who cant apply the patch straight away, Symantec and Microsoft recommend the typical mitigation strategies when dealing with an exploit that requires user interaction: Run software as a non-privileged user with minimal access rights, and always run non-administrative software as an unprivileged user with minimal access rights. Also, stay away from links coming from strangers or untrustworthy sources. Keep out of sites that have questionable integrity. Set browser security to disable execution of script code or active content. Dont open e-mail from strangers or those whom you dont trust, given that attackers could exploit the vulnerability through HTML e-mail. As a workaround, Symantec suggests setting the kill bit for the following CLSIDs to prevent instantiation of malicious Microsoft Agent ActiveX controls: D45FD31B-5C6E-11D1-9EC1-00C04FD7081F
D45FD31E-5C6E-11D1-9EC1-00C04FD7081F Microsoft describes how to disable ActiveX controls here. Microsoft also suggests unregistering "AgentSvr.exe" as a workaround. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel