Another zero day: WMIObjectBroker

This one has been out for a while but now it’s reported in the wild.

From SANS:

Rohit from Tippingpoint adviced us that he is seeing a large number of attacks from Russia using an un-patched vulnerability in the WMIObjectBroker ActiveX control (CVE-2006-4704). He is seeing it used as part of a drive-by download. Typically, the Trojan "Galopoper.A" is load.

There is no patch available at this point. Tippingpoint and the Bleedingthreats projects have signatures available to detect this attack. Rohit mentioned that there is a metasploit module for this vulnerability.

Microsoft link here, with workarounds.

Secunia here.

CERT here.

I’ll have more news as it comes out.