In association with heise online

22 January 2008, 11:02

Vulnerabilities in Visual Studio 6

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Developers who are still using Microsoft Visual Studio 6 and open project files downloaded from the internet could become contaminated by malicious code. In both the Visual Basic components and Visual InterDev, which creates web applications with Microsoft's Active Server Pages (ASP), a buffer overflow can occur when specially designed project files are opened, allowing injected code to be executed in the process.

Demo programs that supposedly demonstrate the vulnerability have already popped up in the milw0rm archive. They create manipulated project files for Visual Basic (.dsr) and Visual InterDev (.sln). When processing excess length values for the options ConnectionName and CommandName, the error in Visual Basic can occur, whereas in InterDev this can happen while processing too long values in the Project field.

Microsoft has yet to release an update, and indeed may not do so at all, because the products in question are more than 10 years old, and the vendor no longer supports these outdated versions. Developers can protect themselves by manually inspecting project files from sources that may not be trustworthy in a text editor before opening them and correcting any entries that seem suspect.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit