Takeaway: Microsoft has released two security advisories in the past week, confirming two separate ActiveX vulnerabilities. Exploit code is circulating for both threats, but Microsoft hasn't yet released patches. Get the details in this edition of the IT Locksmith, and learn about possible workarounds.

Two ActiveX threats have emerged for Microsoft users. Attack code is currently circulating, but workarounds are available.
Details

As confirmed in Microsoft Security Advisory 927709, "Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution," a remote code execution threat has emerged in Visual Studio 2005 (CVE-2006-4704). Proof-of-concept code is currently circulating, and there have been reports of attacks exploiting this vulnerability.

The particular ActiveX control causing problems is the WMI Object Broker control. The vulnerability, linked to WmiScriptUtils.dll, doesn't affect users running Internet Explorer 7 with the default settings and those using Visual Studio 2005 on Windows Server 2003 with the default settings. The Microsoft security advisory lists possible workarounds, including directions for setting the kill bit to disable the vulnerability control.

In addition, Microsoft has released Security Advisory 927892, "Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution." The advisory details a separate XML Core Services threat linked to XMLHTTP 4.0.

US-CERT Vulnerability Note VU#585137 also addresses this threat. (US-CERT, the United States Computer Emergency Readiness Team, is the operational arm of the National Cyber Security Division of the Department of Homeland Security.)

While exploit code is available, the XMLHTTP ActiveX 4.0 control doesn't come installed with Windows XP by default. However, it's bundled with many applications, so this threat can affect Internet Explorer users. This vulnerability doesn't affect those running Windows Server 2003 in its default configuration (with the Enhanced Security Configuration).

Both the security advisory and the vulnerability note describe possible workarounds. In addition, there is a simple registry patch available.

You can set a kill bit to disable the specific ActiveX control in Internet Explorer. See Microsoft Knowledge Base article 240797 for details. You can also disable ActiveX entirely. For more information, see this US-CERT resource.