Patch/Configuration Management, Vulnerability Management

Microsoft warns of attacks on Visual Studio 2005 flaw

Microsoft is warning of attacks exploiting a recently reported zero-day vulnerability in Visual Studio 2005, according to an amended advisory released late Wednesday by the software giant.

"It's an active attack that is unpatched," said Mike Dausin, security researcher at TippingPoint, which claims to have discovered the flaw about six months ago, before confidentially reporting it to Microsoft.

Microsoft issued a security advisory Oct. 31.

Dausin, agreeing with the revised alert from Microsoft, said his company has witnessed hundreds of attacks from three or four Russian-based IP addresses exploiting the vulnerability, caused by a flawed WMI Object Broker ActiveX control in Visual Studio 2005.

"It's one of the few (Microsoft vulnerabilities) we've seen that is being actively exploited that we don't have a patch for, and that's scary," Dausin said.

The attack occurs when users of Visual Studio 2005, a Microsoft development platform, visit a malicious site via Internet Explorer (IE) that installs a backdoor malware downloader onto a user's machine, Dausin said.

"It will be unbeknownst to them that they have a virus downloaded on their computer," he said.

However, Microsoft stated in its advisory that users would need to follow phishing links to reach the malicious website and that they are likely safe from the bug if they are running IE7 because the just-released browser upgrade turns of the affected ActiveX control by default.

This is the second Microsoft flaw in as many weeks affecting ActiveX controls, used to enhance the functionality of IE.

"It's a way to glue on all different kinds of bells and whistles," Dausin said. "(ActiveX controls) don't have the vigorous code review that IE goes through before it's released. There's just a lot more code that can be glued onto IE that the IE team doesn't have visibility into."

The other flaw is caused by an error in the XMLHTTP 5.0 ActiveX Control, part of the Microsoft XML Core Services program, which lets customers who use Jscript, Visual Basic Scripting Edition and Microsoft Visual Studio 6.0 construct, validate and process XML-based applications.

Click here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.