Tips for security holes in Microsoft ActiveX controls
The still unpatched hole in the WMIObjectBroker ActiveX control is subject to repeated exploitation, report both Microsoft and the Internet Storm Center. According to indications from TippingPoint to the ISC, a large number of attacks are originating from Russia, seeking to infect users with the Galopoper.A virus. It is not clear how successful these attempts have been, since the vulnerable control is a component (WmiScriptUtils.dll) of Visual Studio 2005 – meaning that normal home users are not affected by the problem. The control is furthermore not activated by default, meaning that even developers are not necessarily at risk of being infected during visits to specially prepared websites.
A similar situation applies to the flaw in the XML Core Services ActiveX control reported last weekend. Only the control delivered with version 4.0 is vulnerable, which is not part of the delivery package for standard Windows computers. Internet Explorer 6 typically uses the XML Core Services (MSXML) in version 3.0, as is found on normal XP installations. Microsoft has to this point unfortunately declined to indicate which products contain MSXML 4.0. Even in Microsoft's overview of the versions it is not clear where MSXML 4.0 is used. It is probably installed along with the .NET Framework 2.0. The current version is MSXML 6.0. Several parallel installations of various versions of the XML Core Services is permitted, however. The best way to be sure is to search the PC for files containing "msxml" in their name and checking their version number.
Until security updates are released, the surest safeguard is to deactivate ActiveX or to turn off the aforementioned controls by setting their kill bits. Microsoft has provided the following snippets of code do this for the WMI control (save and execute as wmi.reg):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-4331-00C04FC30871}] "Compatibility Flags"=dword:00000400
The same is done for the XML control through this registry patch (save and execute as xml.reg):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}] "Compatibility Flags"=dword:00000400
- Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution, advisory from Microsoft
- Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution, advisory from Microsoft
(ehe)