Microsoft Confirms Critical Visual Studio Zero-Day

An "extremely critical" vulnerability in Microsoft's Visual Studio 2005 could put users at risk of remote code execution attacks. Pre-patch workarounds are available.

An "extremely critical" vulnerability in Microsoft Visual Studio 2005 could put users at risk of remote code execution attacks, the company confirmed Nov. 1.

The Redmond, Wash., software maker issued a security advisory with pre-patch workarounds and warned that the flaw is already being used in zero-day attacks.

"We are aware of proof of concept code published publicly and of the possibility of limited attacks that are attempting to use the reported vulnerability," Microsoft said in the advisory.

Visual Studio 2005, formerly known as "Whidbey," is an integrated development environment that offers a suite of tools to help programmers build software, Web sites, Web applications and Web services. It is the latest version of Microsofts developer tools and includes Visual Basic, Visual C++, Visual C# and visual J#.

/zimages/2/28571.gifClick here to read more about how zero-day attacks are linked to corporate espionage.

According to Microsoft, the vulnerability is caused due to an unspecified error in the WMI Object Broker ActiveX Control (WmiScriptUtils.dll), which is used by the WMI Wizard in Visual Studio to instantiate other controls.

The company said an attacker could use the flaw to "take complete control of the affected system." In a Web-based attack scenario, Microsoft said a hacker could host a malicious Web site and use social engineering tactics to lure visitors. "It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems," the company said in its advisory.


Microsoft has recommended various workarounds to help mitigate the risks. They include disabling attempts to instantiate the ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

The company also recommends that Visual Studio 2005 users configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Instructions on applying the workarounds can be found in the security advisory.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.