Hackers Aim At Microsoft Visual Studio 2005

The application development platform loads a buggy ActiveX component into Internet Explorer, Microsoft's browser, when users call on the WMI Wizard from within Visual Studio 2005, the Redmond, Wash. developer said in a security advisory posted late Tuesday. Hackers can exploit the vulnerability with the usual method of enticing users to dodgy Web sites.

"We are aware of the possibility of limited attacks that are attempting to use the reported vulnerability," said Christopher Budd, program manager at Microsoft's Security Response Center (MSRC), on the team's blog Wednesday.

In its advisory, Microsoft not only said it was investigating, but promised it would patch the problem. "We will include the fix for this issue in an upcoming security bulletin," the company said. The next scheduled security updates will be released in just under two weeks, on Nov. 14.

Danish vulnerability tracker Secunia pegged the bug as "Extremely critical," its highest-possible ranking. Secunia justified the rating by noting that the flaw has not been fixed and is "already being actively exploited."

Microsoft's recently-released Internet Explorer 7 is somewhat more secure against possible threats, Microsoft said, since the new browser's default allow-list for ActiveX controls doesn't include the one called by Visual Studio 2005. A careless user, however, could click through the warning that pops up when a non-default control tries to load for the first time.

As it typically does when a vulnerability is uncovered within an ActiveX control, Microsoft told users they could block the current exploit by setting a "kill bit" in the Windows registry. Other temporary tactics offered in the advisory included configuring older editions of IE to prompt the user before running an ActiveX control, or disabling Active Scripting entirely. Active Scripting can be switched off via the Tools|Internet Options|Security controls.