Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704) - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704)
This one is "highly critical". A working exploit is already available for Metasploit.

The WMI Object Broker is a special ActiveX control which is used by Vsiaul Studio 2005. An attacker would use a malicious web page to exploit it. You have to have Visual Studio 2005 installed in order to be vulnerable. The vulnerable file is WmiScriptUtils.dll.


As with other ActiveX features, Internet Explorer 7 will mitigate them somewhat as you have to "opt-in" to individual ActiveX controlls in order to use them. The restricted mode in Windows 2003 will turn off ActiveX as well, limiting exposure.

What you should do:
- On a client with Visual Studio 2005 installed: Patch now.
- On a client without Visual Studio 2005: you should not have this control.
- On a server:  Check if you are using the "Enhanced Security Configuration" for MSIE. The patch is unlikely to apply.

I do recommend upgrading to Internet Explorer 7 if you are regularly using Internet Explorer.

References:
KB927709
MS06-073
CVE-2006-4704
eEye Advisory
I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3535 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!