News

Microsoft Scrambling to Patch Exploit

By Scott M. Fulton, III | Published November 1, 2006, 1:00 PM

This morning, Microsoft Security announced it has been alerted to proof-of-concept code that may already have been referenced in the creation of a malicious exploit.

Although details about the exploit itself have not yet be revealed, according to this morning's advisory, the point of weakness is a Windows library that is shipped with Visual Studio 2005, called wmiscriptutils.dll. Apparently a call to this library, placed from within a script executed in some installations of Internet Explorer 7 with default settings, on operating systems other than Windows Server 2003, can trigger possible unguarded remote malicious code execution.

"WMI" refers to Windows Management Instrumentation, which is Microsoft's system for making thousands of different points of constantly measured performance data accessible to outside programs. In this case, the dynamic link library in question is not WMI itself, but a collection of functions referred to as the "WMI object broker," that make WMI data more readily accessible to scripts written from within Visual Studio.

Many Windows systems have WMI installed, especially in the workplace where they may be actively monitored by tenacious system administrators. However, only development systems that use WMI will have this particular library file, which significantly reduces the number of computers in which the exploit may be effective.

Security companies have yet to analyze this threat, especially with details being kept confidential for now.

This is not the first time this particular library file has been the target of an exploit. Early this year, proof-of-concept code was published concerning an exploit that could enable remote code execution through misappropriating the CreateObject statement for invoking COM objects involved with Data Access Components (DAC). WMIScriptUtils.WMIObjectBroker2.1 was one of those objects.

Last April, Microsoft responded with a series of updates to all Data Access Components modules, in an attempt to thwart any such exploitation to the entire library set. There's no indication at this time that the earlier exploit is related to the current one.

Comments

View comments by with a score of at least

x-ray
Nov 1, 2006 - 2:06 PM

Bulls***, update update, make me and my bank/games/site codes safe

Score: 0

|
Post Reply
Metshrine
Nov 1, 2006 - 3:38 PM edited

However, only development systems that use WMI will have this particular library file, which significantly reduces the number of computers in which the exploit may be effective.

Perhaps you should read, ONLY DEVELOPMENT SYSTEMS WITH THIS WMI FILE ARE EXPLOITABLE. Do you have VS installed or a development suite which installed this file? If not, then you are safe.

Score: 0

|
Post Reply
bsf
Nov 1, 2006 - 10:00 PM

maybe I should un-install my VS suite...
I haven't been using forever since I changed jobs lol

Score: 0

|
Post Reply

Google Chrome 4: Yes, it's fast, but is it usable?

As Betanews readers have responded to our stories about Chrome's JavaScript superiority...Does that mean we'd actually use this browser? Well...

Video: Netflix on PlayStation 3

Netflix has come to the PlayStation 3 via Blu-ray and BD-Live.

Verizon Wireless launches new Android, Chocolate, and ruggedized phones

The lower-priced Eris joins the Droid, while the Chocolate gets a touchscreen and more music playback.

Early sales figures for Windows 7 nicely high, but do we know why?

Fans of triple-digit surges in figures quoted by Betanews will love this one, as it appears Microsoft rediscovered how to pull off a software launch.

Myka announces its latest Linux-based 'net top box'

Myka's ION brings Boxee, XMBC, and much more to HDTVs.

What hath Mac wrought? A remembrance after a quarter-century

The reason there's a Macintosh today is not because of some brilliant flash of engineering genius, but because Apple had the audacity to learn from its mistakes.

Early build of Moblin 2.1 improves connectivity, but not device support

The Linux Foundation's Atom-centric OS yesterday received a major overhaul with the project release of Moblin 2.1 for netbooks and nettops.

The iPhone's China syndrome: Sales of 5,000 and climbing

There's actually a country where Apple's device is not a godsend, where sales can be measured in the dozens.

New European counterpart to FCC will ensure 'a more neutral net'

Late Thursday night, the ruling telecom administrators of the EU's member nations signed away their final authority to a new entity overseen by the EC.

Sophos study suggests Windows 7 UAC's default setting is self-defeating

Without any anti-virus installed, a Sophos test showed, User Account Control was only capable of thwarting just one malware package out of ten samples chosen.

Indiscreet tweet trips awareness of Web SSL vulnerability

A group of high-level security engineers had been making progress on thwarting a low-level threat to the Web, until somebody blurted it all out on Twitter.