Print this article  |  E-mail this article  |  Comment on this article

Microsoft Scrambling to Patch Exploit

By Scott M. Fulton, III, BetaNews

November 1, 2006, 1:00 PM

This morning, Microsoft Security announced it has been alerted to proof-of-concept code that may already have been referenced in the creation of a malicious exploit.

Although details about the exploit itself have not yet be revealed, according to this morning's advisory, the point of weakness is a Windows library that is shipped with Visual Studio 2005, called wmiscriptutils.dll. Apparently a call to this library, placed from within a script executed in some installations of Internet Explorer 7 with default settings, on operating systems other than Windows Server 2003, can trigger possible unguarded remote malicious code execution.

"WMI" refers to Windows Management Instrumentation, which is Microsoft's system for making thousands of different points of constantly measured performance data accessible to outside programs. In this case, the dynamic link library in question is not WMI itself, but a collection of functions referred to as the "WMI object broker," that make WMI data more readily accessible to scripts written from within Visual Studio.

Many Windows systems have WMI installed, especially in the workplace where they may be actively monitored by tenacious system administrators. However, only development systems that use WMI will have this particular library file, which significantly reduces the number of computers in which the exploit may be effective.

Security companies have yet to analyze this threat, especially with details being kept confidential for now.

This is not the first time this particular library file has been the target of an exploit. Early this year, proof-of-concept code was published concerning an exploit that could enable remote code execution through misappropriating the CreateObject statement for invoking COM objects involved with Data Access Components (DAC). WMIScriptUtils.WMIObjectBroker2.1 was one of those objects.

Last April, Microsoft responded with a series of updates to all Data Access Components modules, in an attempt to thwart any such exploitation to the entire library set. There's no indication at this time that the earlier exploit is related to the current one.

Add a Comment (3 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By x-ray

posted Nov 1, 2006 - 2:06 PM

Bulls***, update update, make me and my bank/games/site codes safe

Score: 0

By Metshrine

edited Nov 1, 2006 - 3:38 PM

However, only development systems that use WMI will have this particular library file, which significantly reduces the number of computers in which the exploit may be effective.

Perhaps you should read, ONLY DEVELOPMENT SYSTEMS WITH THIS WMI FILE ARE EXPLOITABLE. Do you have VS installed or a development suite which installed this file? If not, then you are safe.

Score: 0

By bsf

posted Nov 1, 2006 - 10:00 PM

maybe I should un-install my VS suite...
I haven't been using forever since I changed jobs lol

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal