HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-109
Microsoft Visual Studio WMI Object Broker ActiveX Code Execution Vulnerability

Original Issue Date: November 02, 2006
Updated on: December 13, 2006

Severity Rating: High

Systems Affected

Microsoft Visual Studio 2005

Overview

A remote code execution vulnerability has been reported in Microsoft Visual Studio 2005 that could be exploited by an attacker to take complete control of the vulnerable system.

Description

The vulnerability is caused due to an error in the WMI Object Broker ActiveX Control (WmiScriptUtils.dll), which fails to ensure that it interact safely while hosted on a web page.

The attacker could exploit this vulnerability by creating and hosting a specially crafted webpage on a website and could persuade user to visit the website. The attacker could then execute arbitrary commands on the vulnerable system which is visiting the website through Microsoft Internet Explorer and could take complete control of the vulnerable system remotely.

This is to be noted that vulnerability is currently being exploited in the wild

Workarounds

  • Prevent the WMI Scripting control from running in Internet Explorer
  • Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local Intranet security zone.
  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local Intranet security zone.
  • Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-073

References

Microsoft http://www.microsoft.com/technet/security/advisory/927709.mspx 

FrSIRT
http://www.frsirt.com/english/advisories/2006/4282

Secunia
http://secunia.com/advisories/22603/

Security Focus
http://www.securityfocus.com/bid/20797/info

CVE Name
CVE-2006-4704

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003