For the past week I have been looking at the MS08-008 OLE remote execution vulnerability. During that time, I have been speaking with an exploit writer who wishes to remain anonymous. According to my anonymous source, the vulnerability exists within the ActiveX class MSForms Image and uses the IImage Interface. As the vulnerability requires user intervention and can easily be thwarted by setting the kill bit, my source does not believe that this will be very useful in targeted attacks.

According to Microsoft, Visual Basic (VB) 6.0 contains this vulnerability. Programs created in VB 6.0 may inherit the vulnerability if the oleaut32.dll file is distributed with the VB 6.0 created programs. I installed many free OPC servers, OPC clients and OPC utilities and I found the oleaut32.dll file in one piece of software. The oleaut32.dll file in the software was not installed on the system as the file was designed for Windows 95/NT and the test system was running Windows 2003 R2 Service Pack 2.

The best course of action is to set the kill bit and perform an update to your system as soon as possible. Setting the kill bit, see the MS08-008 page for instructions, should provide adequate protection while the patches are being vetted for production use. It would be wise to search the system for “oleaut32.dll” to determine if there are other copies of this file, possibly installed by a vendor, on your system. Please contact your vendor if you are concerned that they are distributing a vulnerable version of the oleaut32.dll file.

The likelihood that this vulnerability is exploitable in OPC software is low. Please take the appropriate actions to mitigate this vulnerability in your environment and reduce your attack surface.