Security Watch: Vulnerability
in Microsoft Video ActiveX Deeper Than Current Fix
The vulnerability in the Microsoft Video ActiveX
control that is being exploited on the Internet, which we previously warned about,
and for which Microsoft released security bulletin MS09-032 on so-called Patch
Tuesday in July, goes deeper than most people realized. Microsoft
announced that they are planning an out-of-band security update that we
are assuming is to fix this vulnerability, not just avoid it as the
previous patch did.
The patch in Microsoft security bulletin MS09-032 does not fix the vulnerability, it only
sets the kill bit for the ActiveX controls to prevent those particular
ActiveX controls from running in Internet Explorer.
There are likely many other ways of triggering the
vulnerability. It is also possible that the vulnerability has
been introduced into non-Microsoft products.
There is now
speculation that Microsoft is working on a fix for the deeper problem
and, if exploits of the deeper flaw occur, Microsoft
might release an out-of-band patch.
Watch: Details about a vulnerability
have been published.
Severity: Medium. The current
exploit could allow complete control
over the computer if the user has local administrator rights.
(A "watch" alert is for a situation that is not currently
being exploited--that we know about--but it is possible that it will be
Many, possibly including non-Microsoft software.
Halvar Flake found that the problem is in a code library that
is used in many places in Windows (not just the video ActiveX controls)
and might have been provided to third-party software
developers. To make matters worse, the library is statically
linked, which will make it much harder to patch all the places that the
errant library has been copied. (Many third-party software
developers will have to release a patch.)
Halvar Flake published some details about the flaw
in his blog. While the details do not show a malicious person
how to exploit the deeper flaw, the details will likely point
those who would exploit the flaw in the direction to go and
makes other exploits of the deeper flaw likely sooner.
Microsoft asked Halvar Flake to not discuss any more
details about the flaw.
The vulnerability deep inside Windows
seems to be exploitable in various other ways, so setting a kill bit
for a few ActiveX controls is not enough. No wonder Microsoft
took so long to release a fix for a vulnerability that they known
about since at least April 2008.
Friday, July 24 2009, Microsoft released an advance notice that they
are planning to release a so called out-of-band security bulletin on
July 28, 2009. (An "out-of-band" security bulletin is one that is
not released on Microsoft's normally scheduled Patch Tuesday, the
second Tuesday of each month.) An out-of-band security bulletin
is an indication of a serious problem that needs an immediate fix
and cannot wait for the next Patch Tuesday.
security bulletin advance notification says that Microsoft is planning
to release an update to Internet Explorer and Visual Studio. This
is an indication that we can expect a rash of security updates to other
(non-Microsoft) that are built using the vulnerable Visual Studio
The Microsoft Security Response Center (MSRC) blog
says, "Customers who are up to date on their security updates are
protected from know attacks related to this Out of Band release."
This seems to indicate that the scheduled security updates go
further than the currently released updates, but that there are as of
yet no known attacks that need the protection in the patches that are
to be released out of band. So you might be asking why is
Microsoft making this out of band release. First is to get out
the tools to developers that are needed for them to fix this
vulnerability in their applications. Second is in indication that
Microsoft apparently believes that there is a very good chance of that
other methods of exploiting the underlying vulnerability are likely
soon. You can be sure that malicious people will attempt to
reverse engineer the patch as soon as it is released and develop
exploits of the underlying vulnerability. So, apply the patch
soon, maybe just not as an emergency.
Microsoft Advance Security Bulletin Notification:
MSRC Blog: http://blogs.technet.com/msrc/
Washington Post: http://voices.washingtonpost.com/securityfix/
IT Professional Services
is closely monitoring the development of this situation. Since all of systems under
managed care are
up-to-date on security updates, it appears that an emergency deployment
of this update will not be necessary unless other exploits make use of
a vulnerability that is fixes by this patch but not the previously
released patches. Should it become necessary, ITPS will be
prepared to perform an emergency deployment of the update to
protect all systems under
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional Services
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.