RealTime IT News

'Critical' Flaw in Visual Studio 2005

Software giant Microsoft says it is investigating and may issue an out-of-cycle patch to resolve a bug in an ActiveX control used by Visual Studio 2005.

The flaw, known as a zero-day vulnerability, is viewed as "extremely critical" by one security research firm.

Microsoft said while it knows of proof of concept code published publicly, it said any exploit would cause only "limited attacks." The software maker also released a security advisory suggesting ways users could avoid the flaw.

The vulnerability, part of the WMI Object Broker ActiveX found in the WmiScriptUtils.dll file, could allow attackers to gain administrator access. Users would need to visit Web sites that include the exploit, according to Microsoft.

Additionally, users of Visual Studio 2005 running on Windows Server 2003 or Windows systems with IE7's default configuration are not vulnerable to the exploit.

Microsoft said it would wait until its investigation ends before deciding whether to issue a fix before its regular patch session.

Danish security firm Secunia rated the flaw "critical" and said on its Web site that it is already being actively exploited.

Not everything is critical for Secunia, as it is downplaying reports of a newly discovered Windows XP flaw. The vulnerability is within the Windows Internet Connection Service, part of the operating system enabling users to share Internet connections on a local area network.

While the flaw could cause Windows Firewall to be disabled and open users to some risk, an attacker would need to be a part of the local area network to access the system. The firm issued a rather simple solution to use a router instead of ICS to share your Internet connection.