Windows WMIObjectBroker (Visual Studio 2005) 0-Day Exploit
Rohit from Tippingpoint adviced us that he is seeing a large number of attacks from Russia using an un-patched vulnerability in the WMIObjectBroker ActiveX control (CVE-2006-4704). He is seeing it used as part of a drive-by download. Typically, the Trojan "Galopoper.A" is load.
There is no patch available at this point. Tippingpoint and the Bleedingthreats projects have signatures available to detect this attack. Rohit mentioned that there is a metasploit module for this vulnerability.
The WMIObjectBroker ActiveX compontent is part of Visual Studio 2005 and associated with the WmiScriptUtils.dll . So you are only vulnerable if you find WmiScriptUtil.dll on your system. Also, by default this ActiveX component is not activated by default. For more details about this vulnerability see http://www.microsoft.com/technet/security/advisory/927709.mspx
Update: Snort rules: 8369 and 8370.
There is no patch available at this point. Tippingpoint and the Bleedingthreats projects have signatures available to detect this attack. Rohit mentioned that there is a metasploit module for this vulnerability.
The WMIObjectBroker ActiveX compontent is part of Visual Studio 2005 and associated with the WmiScriptUtils.dll . So you are only vulnerable if you find WmiScriptUtil.dll on your system. Also, by default this ActiveX component is not activated by default. For more details about this vulnerability see http://www.microsoft.com/technet/security/advisory/927709.mspx
Update: Snort rules: 8369 and 8370.
Keywords:
0 comment(s)
My next class:
| Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
×
![modal content]()
Diary Archives
Comments