Microsoft releases latest security advisory

Microsoft released a security advisory yesterday on 31st October 2006 to address public reports and POC code exploiting a vulnerability in an ActiveX control in Visual Studio 2005 on Windows that could allow Remote code Execution. This vulnerability affects all editions of Windows except those running Visual Studio 2005 on Microsoft Windows Server 2003 (with and without SP1) in their default configuration where Enhanced Security Protection is turned on by default. This vulnerability also does not affect users running IE7 until they choose to enable the control through the ActiveX Opt-in feature in IE7.

The ActiveX control is the WMI Object Broker control, which is included in WmiScriptUtils.dll.

Mitigating Factors

For the RCE to happen in a web based attach, the attacker has to trick the user to visit a malicious website. If the attacker succeeds in doing so and executes the vulnerability, the attacker will get the same privileges as the local logged on user. Whoever is running with minimum user privileges would be less affected than those who run with full system administrator privileges. In addition to this as mentioned earlier, this ActiveX control is disabled by default in IE7 and Windows Server 2003 in its default configuration runs in Enhanced Security mode. By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed

Some Thoughts

1. Given the amount of websites running today, it is very difficult to distinguish between a benign and a malicious website. With so many website promoting tools (Digg, Furl, Rss, Del.ici.ous, RSS) available, it would be very easy to get someone to visit a malicious website by giving a catchy title to the link.
2. IE7 has been released very recently. It's unlikely that many of the home users would have upgraded it, let alone enterprise users. I suspect many of them are still on IE6.0 SP2. So saying that this is disabled in IE7 doesn't mean much.
3. Nobody users Windows Server 2003 for their day to day browsing needs as it is highly unbrowsable with every website is needed to be added in the allowed zone. Whoever uses it does so in a non-default configuration which may very well be vulnerable to this threat.
4. How many times have we enabled active content in email messages in Outlook or Outlook Express when it displays a notification that it has blocked some active content in the message?
5. How many users do you know who run a simple user on their home PCs? I have seen many enterprises who give their users full administrator access on their computers because its easy and less of a headache.
   

Precautions

We can try as much as we can to defeat such threats using technology. However using safe browsing habits and security minded approach would easily defeat such threats. Some precautions I take are:

1. Not click on any link from an email from untrusted sources
2. Identify some trusted sources for information and visit those for all my information needs.
3. Keep my computers up to date with all the patches.
4. Run Anti-spyware on my computers (it really does a good job of identifying suspected malicious websites)