Visual Studio Browser Vulnerability?!

Update: this has been addressed by the MS06-073 patch during the December patch tuesday.

Now 'this', is an interesting 0day! Visual Studio is not something you see in the list of vulnerable apps every day, and when you do, it's usually not in relation to browser security. Of course once you get into it, it's just a boring ol' ActiveX vulnerability, but still, it was exciting there for a second right? No? Ok.

The vulnerable component is WMI Object Broker ActiveX control. It's not something there by default, but instead something that comes with Visual Studio 2005, so that alone is a fairly big mitigating factor. (The main people who would be vulnerable are therefore Developers! Developers! Developers! Developers!) Also, that new-fangled Internet Explorer 7 that you may have heard of is not vulnerable in it's default settings (unless you opt-in to running the control of course). Finally, the higher default security settings of Windows Server 2003 are such that IE 6 on it is not vulnerable. This vulnerability is somewhat interesting in that it paves the way for using all your other favorite ActiveX controls. Apparently, this particular ActiveX control can instantiate other ActiveX controls in a way which bypasses their "kill bit" and "safe for scripting" options. The SecurityFocus BID says there is a Metasploit module for this vulnerability, and while the linked module does mention !Visual Studio, I haven't been able to confirm that this exploit is specifically for this vulnerability.

The standard ActiveX vulnerability advice applies, and if you read this site long enough it will become almost an instinct: set a kill bit for

7F5B7F63-F06F-4331-8A26-339E03C0AE3D

For more workarounds you can see the Microsoft advisory that I linked to at the very beginning of the post.

CVE-2006-4704
ISC's coverage
CERT's page
ISC update of in-the-wild activity here

This vulnerability does not appear to have been patched during the November patch cycle.