At this point, there is no patch available. Exploit code has been released and is expected to be used in the wild shortly (if it hasn't been used already).
In order to be vulnerable, you need to have 'msdds.dll' installed. Usually, this is installed by Visual Studio .Net, but has been found to be installed by a number of other applications as well, as it may be distributed with .Net based applications.
Typically, you will find it in
Program Files\Common Files\MicrosoftShared\MSDesigners7 .[Jordan]
Here is a list of applications that may install this component:
(Disclaimer: We can't test them all... but it should help you prioritize)
MS Visual Studio .Net
.Net Framework 1.1
Microsoft Office (2000, 2002, XP) [Karl, Juha-Matti]
Access 11 (2003) runtime [Scott]
ATI Catalyst driver installed by newer ATI video cards [Eric]
MSDDS.DLL is not found on Win2003 SP1 SERVER with .net installed (not Visual Studio .net). [Andy].
The version of MSDDS.DLL installed with Office 2003 is not vulnerable.
If you test your system using the PoC exploit, please let us know if it succeeded, and what version of MSDDS.DLL you are using. Version 7.10.3077.0 may not be vulnerable (according to Secunia and our testing). [Juha-Matti]
Version 7.0.9064.9112 is vulnerable [Gilles].
If you are able to apply content filters to your internet gateway (e.g. a proxy server), filter for this string:
(in order to allow you to still visit this page, we substituted the '-' with the word '(dash)' ...)
This is the class id of the vulnerable component.
Other Mitigation Techniques:
- Use a Non-ActiveX aware browser (Firefox, Opera...)
- remove the vulnerable DLL. (we do not know what will break as a result)
- this issue can be blocked by setting the 'kill bit' for the respective DLL. Using a registry editor, set: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\EC444CB6(dash)3E7E(dash)4865(dash)B1C3(dash)0DE72EF39B3F\Compatibility Flags=0x00000400" [Jerry]
There is no official patch for this vulnerability at this point. MS05-038 looks similar, but the patch doesn't appear to protect you from this problem.