<a href="http://www.micropoll.com/akira/mpview/585320-168921">Click Here for Poll</a><a href="http://www.questionpro.com" title="online surveys">Online Survey</a><BR> | <a href="http://www.micropoll.com" title="Website Polls">Website Polls</a><BR> | <BR><a href="http://www.micropoll.com/akira/MicroPoll?mode=html&id=168921">View MicroPoll</A></div>

Visual Studio 2010!

Read now >

Windows Mobile Development Thoughts

Read now >

View Now
DevSource RSS FEEDS
XML Want an easy way to keep up with breaking tech news? And the Get DevSource headlines delivered to your desktop with RSS.
ADVERTISEMENT
ADVERTISEMENT

 

ADVERTISEMENT
Microsoft Confirms Critical Visual Studio Zero-Day
By Ryan Naraine
2006-11-01

Article Rating:starstarstarstarstar / 0

Rate This Article: Add This Article To:
Poor Best

An "extremely critical" vulnerability in Microsoft's Visual Studio 2005 could put users at risk of remote code execution attacks. Pre-patch workarounds are available.

An "extremely critical" vulnerability in Microsoft Visual Studio 2005 could put users at risk of remote code execution attacks, the company confirmed Nov. 1.

The Redmond, Wash., software maker issued a security advisory with pre-patch workarounds and warned that the flaw is already being used in zero-day attacks.

"We are aware of proof of concept code published publicly and of the possibility of limited attacks that are attempting to use the reported vulnerability," Microsoft said in the advisory.

Visual Studio 2005, formerly known as "Whidbey," is an integrated development environment that offers a suite of tools to help programmers build software, Web sites, Web applications and Web services. It is the latest version of Microsoft's developer tools and includes Visual Basic, Visual C++, Visual C# and visual J#.

Click here to read more about how zero-day attacks are linked to corporate espionage.

According to Microsoft, the vulnerability is caused due to an unspecified error in the WMI Object Broker ActiveX Control (WmiScriptUtils.dll), which is used by the WMI Wizard in Visual Studio to instantiate other controls.

The company said an attacker could use the flaw to "take complete control of the affected system." In a Web-based attack scenario, Microsoft said a hacker could host a malicious Web site and use social engineering tactics to lure visitors. "It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems," the company said in its advisory.

Workarounds

Microsoft has recommended various workarounds to help mitigate the risks. They include disabling attempts to instantiate the ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

The company also recommends that Visual Studio 2005 users configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Instructions on applying the workarounds can be found in the security advisory.

This article was originally published on eWEEK.com.




Discuss Microsoft Confirms Critical Visual Studio Zero-Day
 
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Using Microsoft Visual Studio Articles          >>> More By Ryan Naraine