Attack code out for Visual Studio flaw

A security hole in Visual Studio is being used in attacks that target users of the developer suite, Microsoft has warned.

The flaw lies in an ActiveX control in Visual Studio 2005, the software maker said in a security advisory sent out late Tuesday. "An attacker who successfully exploited this vulnerability could take complete control of the affected system," the software maker warned.

Cybercrooks are already using the vulnerability to launch attacks, the French Security Incident Response Team said in an alert. The security-monitoring company deems the issue "critical," its most serious rating.

Microsoft, on its Security Response blog, said it is aware of the possibility of limited attacks that are attempting to use the flaw.

For an attack to be successful, a Visual Studio user would have to be tricked into viewing a rigged Web site, Microsoft said. A fix for the flaw is planned and will be released as part of the company's regular patch cycle, but the company did not specify which "Patch Tuesday" would see the fix.

The vulnerable ActiveX control is the WMI Object Broker, which is included in WmiScriptUtils.dll. It is used by the WMI Wizard in Visual Studio 2005. WMI, or Windows Management Instrumentation, is a set of extensions to the Windows Driver Model.

The flaw affects systems running Visual Studio 2005. Those with Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected, Microsoft said.

Visual Studio 2005 machines that have been upgraded to Internet Explorer 7 with default settings are also not at risk, unless the WMI Object Broker ActiveX control has been activated through the ActiveX Opt-in Feature in the Internet Zone, the company said.

Microsoft's next patch release day is Nov. 14.