New MSDDS Vulnerability in Microsoft Office and Microsoft Visual Studio
by Judith Dinowitz
In the wake of the Zotob worm, and the Plug 'N Play vulnerability (see our article on that), a new vulnerability was announced on August 17th, along with exploit code. This issue is due to a memory corruption error when instantiating the "Msdds.dll" (Microsoft Design Tools Diagram Surface) object as an ActiveX control. This flaw could be exploited by an attacker to take complete control of an affected system via a specially crafted Web page. Only systems where the "Msdds.dll" library is installed are vulnerable. (This library is installed with Microsoft Office and Microsoft Visual Studio.) While there is no patch from Microsoft, the Internet Storm Center has announced several measures you can take to protect yourself:- The ISC released a number of scripts to set the "kill bit" for the affected ActiveX component. This will prevent use of the vulnerable ActiveX component by Internet Explorer. msdds.dll may still be used by local applications (and this is ok). But this may break activex applications accessed via the browser, if they make use of this vulnerable function. Click here to download ISC's Patch.
- You can make the same change using the registry editor. You'll find the details in their Diary.
- Remove the vulnerable DLL from your system. (This may break applications that use it.)
- Use 'DropMyRights' to Limit an impact of an exploit.
- Use an alternative browser, such as Firefox, which doesn't use Active X. (They note that Netscape 8, which uses the MSIE to render code, may be vulnerable. They have not confirmed this yet.)
Latest ColdFusion Talk (CF-Talk)
- making functions global in model glue
- form collection
- multiple select drop down box and oracle dates
- Form slowness inexplicable
- fusebox vs model glue
- Query of Queries error
- Setting a default value
- Javascript in CFC
- CF7 ENT => CF8, CFReport Font size issues
- How to access files on an ftp url that doesn't allow direct ftp access?
Latest ColdFusion Jobs (CF-Jobs)
- Coldfusion Web Developer - Natick, MA
- Need Remote LAMP or WIMP or ColdFusion Work
- ColdFusion Developers/Arlington, Virginia/Direct
- ColdFusion MX Developers Needed in NYC!
- Seasoned ColdFusion Developer Available
- Available:Sr ColdFusion Developer
- Mid Lvl ColdFusion Developer - Phoenix, AZ
- ColdFusion Developer - Knoxville, TN
- ColdFusion Positions in TX and SC!!! Immediate!
- Coldfusion Developer available
Want a number like 800-ColdFusion?
My Toll Free 800 Number provides a vanity phone number service to clients who want more than just digits. How would you like 800-coldfusion?