Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704) - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704)
This one is "highly critical". A working exploit is already available for Metasploit.

The WMI Object Broker is a special ActiveX control which is used by Vsiaul Studio 2005. An attacker would use a malicious web page to exploit it. You have to have Visual Studio 2005 installed in order to be vulnerable. The vulnerable file is WmiScriptUtils.dll.

As with other ActiveX features, Internet Explorer 7 will mitigate them somewhat as you have to "opt-in" to individual ActiveX controlls in order to use them. The restricted mode in Windows 2003 will turn off ActiveX as well, limiting exposure.

What you should do:
- On a client with Visual Studio 2005 installed: Patch now.
- On a client without Visual Studio 2005: you should not have this control.
- On a server:  Check if you are using the "Enhanced Security Configuration" for MSIE. The patch is unlikely to apply.

I do recommend upgrading to Internet Explorer 7 if you are regularly using Internet Explorer.

eEye Advisory
I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022


4514 Posts
ISC Handler
Dec 12th 2006

Sign Up for Free or Log In to start participating in the conversation!