Yesterday, we wrote about new extremely critical vulnerability in Microsoft software utilized by an exploit that installs malware to computers running Internet Explorer 6 and Internet Explorer 7. Today, it’s another new flaw. It was discovered more than a week ago, but hackers began actively exploiting it just now.
Vulnerability is quite similar to that we wrote about. It is a flaw in the WMIObjectBroker ActiveX control, which is a part of Microsoft Visual Studio 2005. Fully functional exploit is hosted on malicious web sites mostly in Russia. An expert from TippingPoint, a company providing intrusion prevention systems, says that he is seeing a large number of attacks, which result in infection with widely spread malware. Usually, it’s the Galapoper trojan that secretly downloads and installs other parasites.
Fortunately, most computers running Windows and Internet Explorer are not vulnerable. Microsoft Visual Studio is used mostly by software developers and not by regular home and office users. Furthermore, the WMIObjectBroker ActiveX control is not activated by default. You are in risk only if the wmiscriptutils.dll file associated with that control is present in your system.
There is no patch available at the moment. This makes a new flaw critical. Microsoft suggests tested workarounds, though. The most recommended is setting the kill bit for the vulnerable ActiveX control in the registry.
To set the kill bit for a CLSID with a value of {7F5B7F63-F06F-4331-8A26-339E03C0AE3D} paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}]
“Compatibility Flags”=dword:00000400You can apply this .reg file to individual systems by double-clicking it.
