Microsoft Scrambling to Patch Exploit
This morning, Microsoft Security announced it has been alerted to proof-of-concept code that may already have been referenced in the creation of a malicious exploit.
Although details about the exploit itself have not yet be revealed, according to this morning's advisory, the point of weakness is a Windows library that is shipped with Visual Studio 2005, called wmiscriptutils.dll. Apparently a call to this library, placed from within a script executed in some installations of Internet Explorer 7 with default settings, on operating systems other than Windows Server 2003, can trigger possible unguarded remote malicious code execution.
"WMI" refers to Windows Management Instrumentation, which is Microsoft's system for making thousands of different points of constantly measured performance data accessible to outside programs. In this case, the dynamic link library in question is not WMI itself, but a collection of functions referred to as the "WMI object broker," that make WMI data more readily accessible to scripts written from within Visual Studio.
Many Windows systems have WMI installed, especially in the workplace where they may be actively monitored by tenacious system administrators. However, only development systems that use WMI will have this particular library file, which significantly reduces the number of computers in which the exploit may be effective.
Security companies have yet to analyze this threat, especially with details being kept confidential for now.
This is not the first time this particular library file has been the target of an exploit. Early this year, proof-of-concept code was published concerning an exploit that could enable remote code execution through misappropriating the CreateObject statement for invoking COM objects involved with Data Access Components (DAC). WMIScriptUtils.WMIObjectBroker2.1 was one of those objects.
Last April, Microsoft responded with a series of updates to all Data Access Components modules, in an attempt to thwart any such exploitation to the entire library set. There's no indication at this time that the earlier exploit is related to the current one.