Security vulnerability in Visual Basic 6
By opening crafted project (.vbp) files, Visual Basic programmers may cause themselves to be infected with malicious code. A Perl script in the milw0rm exploit archive generates crafted .vbp files that can be used to inject and execute arbitrary code via a vulnerability in their processing by the Visual Basic 6 development environment.
The cause is apparently a buffer overflow when processing project files. According to the exploit's author Koshi, this can be exploited by an attacker to inject malicious code of arbitrary size. No remedy is currently available - however Microsoft may develop and release a patch before 8th April 2008 within the scope of the Visual Basic 6 development environment's extended life cycle. The Redmond-based company withdrew mainstream support for the product at the end of March 2005. Until a security update becomes available, Visual Basic 6 developers should not open projects from untrusted sources when using this development environment.
- Demonstration exploit on milw0rm