Vulnerabilities in Visual Studio 6
Developers who are still using Microsoft Visual Studio 6 and open project files downloaded from the internet could become contaminated by malicious code. In both the Visual Basic components and Visual InterDev, which creates web applications with Microsoft's Active Server Pages (ASP), a buffer overflow can occur when specially designed project files are opened, allowing injected code to be executed in the process.
Demo programs that supposedly demonstrate the vulnerability have already popped up in the milw0rm archive. They create manipulated project files for Visual Basic (.dsr) and Visual InterDev (.sln). When processing excess length values for the options ConnectionName
and CommandName
, the error in Visual Basic can occur, whereas in InterDev this can happen while processing too long values in the Project
field.
Microsoft has yet to release an update, and indeed may not do so at all, because the products in question are more than 10 years old, and the vendor no longer supports these outdated versions. Developers can protect themselves by manually inspecting project files from sources that may not be trustworthy in a text editor before opening them and correcting any entries that seem suspect.
- MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling Buffer Overflow, exploit at milw0rm.com by shinnai
- Microsoft Visual InterDev 6.0 (SP6) ".sln" files Local Buffer Overflow, exploit at milw0rm.com by shinnai
(mba)