|
ALARM Group ALERT - click for a description of ALARM, The Computing Alert System
Alert Number: 110106-01
Alert Date: 11/1/06
Alert Title: Microsoft releases security advisory for *UNPATCHED* Visual Studio vulnerability
Update-to: None
OS/Platform/Application:
Microsoft Visual Studio 2005 on all platforms EXCEPT:
Windows 2003 with Enhanced Security Mode in the default configuration
Microsoft Internet Explorer 7 in the default configuration
Category: ALERT
Severity: HIGH
Attention: System Administrators, Desktop Support Personnel, Visual Studio users |
Summary: On October 31 2006 Microsoft released security advisory 927709. This advisory addresses a vulnerability in Visual Studio 2005 that could allow a remote attacker to gain control of a vulnerable system. The most probable vector of exploitation is the viewing of a specifically-crafted website. At the time of this writing (2:42 PM 11/1/06) several Internet Security-Related agencies are reporting the existence and public release of proof-of-concept code to exploit this vulnerability. No patch has yet been made available by Microsoft to definitively fix the issue. Security Advisory 927709 does offer some advice on best practices to minimize the risk of exploit and also some technical workarounds.
Recommended Actions: Persons who manage, maintain or use systems that run Visual Studio 2005 are encouraged to read Security advisory 927709 (and the other associated information; links are provided below) to obtain a better understanding of the vulnerability and the risks/benefits of the vendor-suggested workaround options.
ITS Actions: At this time, ITS is taking no specific additional actions to address this software vulnerability. An update will be issued if the situation changes.
Resources:
Microsoft Security Advisory 927709:
http://www.microsoft.com/technet/security/advisory/927709.mspx
SANS Article on the vulnerability:
http://isc.sans.org/diary.php?storyid=1813
FrSirt advisory:
http://www.frsirt.com/english/advisories/2006/4282
