Microsoft users face two zero-day threats in a week

by John McCormick | Nov 06, 2006 9:26:00 PM

Tags: Microsoft Windows, SECURITY, ActiveX/COM/COM+/DCOM, John McCormick, vulnerability, US-CERT Vulnerability Note VU#585137, Microsoft Corp., IT Locksmith Newsletter

1 comment(s)

Takeaway: Microsoft has released two security advisories in the past week, confirming two separate ActiveX vulnerabilities. Exploit code is circulating for both threats, but Microsoft hasn't yet released patches. Get the details in this edition of the IT Locksmith, and learn about possible workarounds.

Two ActiveX threats have emerged for Microsoft users. Attack code is currently circulating, but workarounds are available.

Details

As confirmed in Microsoft Security Advisory 927709, "Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution," a remote code execution threat has emerged in Visual Studio 2005 (CVE-2006-4704). Proof-of-concept code is currently circulating, and there have been reports of attacks exploiting this vulnerability.

The particular ActiveX control causing problems is the WMI Object Broker control. The vulnerability, linked to WmiScriptUtils.dll, doesn't affect users running Internet Explorer 7 with the default settings and those using Visual Studio 2005 on Windows Server 2003 with the default settings. The Microsoft security advisory lists possible workarounds, including directions for setting the kill bit to disable the vulnerability control.

In addition, Microsoft has released Security Advisory 927892, "Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution." The advisory details a separate XML Core Services threat linked to XMLHTTP 4.0.

US-CERT Vulnerability Note VU#585137 also addresses this threat. (US-CERT, the United States Computer Emergency Readiness Team, is the operational arm of the National Cyber Security Division of the Department of Homeland Security.)

While exploit code is available, the XMLHTTP ActiveX 4.0 control doesn't come installed with Windows XP by default. However, it's bundled with many applications, so this threat can affect Internet Explorer users. This vulnerability doesn't affect those running Windows Server 2003 in its default configuration (with the Enhanced Security Configuration).

Both the security advisory and the vulnerability note describe possible workarounds. In addition, there is a simple registry patch available.

You can set a kill bit to disable the specific ActiveX control in Internet Explorer. See Microsoft Knowledge Base article 240797 for details. You can also disable ActiveX entirely. For more information, see this US-CERT resource.

Also watch for...

Microsoft has announced plans to launch Windows Vista and Office 2007 to business users on November 30. The software will be available to mainstream consumers in January 2007.
US-CERT has released Technical Cyber Security Alert TA06-291A, which details recent Oracle updates for multiple vulnerabilities. Oracle fixed 101 vulnerabilities with its quarterly update in October; you can find the critical patches at the October 2006 Oracle Critical Patch Update Web page.
Two bugs have emerged in the new Firefox 2.0 browser. Mozilla hasn't released patches yet, but the company says the issues aren't critical. For a list of known issues, check out the Firefox 2.0 Release Notes Web page.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

1 comment(s)