priestmaster has discovered a vulnerability in Microsoft Visual Studio, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a design error that allows program code within the "Load" event of a user-defined control to be automatically executed when a project containing a form that uses the malicious control is opened. This can be exploited to execute arbitrary program code.
Successful exploitation requires that the user is e.g. tricked into opening a Solution file in a malicious Visual Studio project.
The vulnerability has been confirmed in Microsoft Visual C# 2005 Express Edition. Other versions may also be affected.
Note: It has also possible to modify Visual Studio's ".dsp" project files to include arbitrary post-build commands that are executed when the project is built.
Solution: Do not open or build Visual Studio project files from untrusted sources.
Provided and/or discovered by: priestmaster
Additional information by:
Donnie Werner, Exploitlabs
Original Advisory: Microsoft KB841189:
Team Priestmasters Research Facility:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Microsoft Visual Studio User Control Load Event Vulnerability
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.