Security Watch: Microsoft
Out-of-Band Patches for ATL
Microsoft released two security bulletins
today--one Internet Explorer bulletin and one Visual Studio
bulletin--in a so called Out-of-Band release (outside their normal
schedule of the second Tuesday of each month). We previously warned
that the flaw in Microsoft Video ActiveX control is deeper than the
patch in Microsoft security bulletin MS09-032. These two security
bulletins address that deeper flaw.
fact that these security bulletins were released out-of-band is an
indication that Microsoft feels that the fix needs to be installed
right away. Why the fixes are so urgent is not immediately clear since
Microsoft stated that if the patch
in Microsoft security bulletin MS09-032
has been installed, systems are not vulnerable and there are currently
no other know exploits. The underlying flaw in the Visual
Active Template Library (ATL) is being presented at the Black Hat
conference in Las Vegas this week (on Wednesday). We now
that the urgency of Microsoft's out-of-band release is to provide
defense from exploits created based on the information that will be
disclosed at the Black Hat conference.
The scope of the flaw in
ATL is huge because it affects not only Microsoft products, but also
any component or control developed using the flawed ATL. It
take time for developers to release updates to their products that use
ATL without the flaw.
second of the two security bulletins released today (the one that
patches Visual Studio ATL) is the root cause of the flaw. The
cumulative security update for Internet Explorer (the first of the two
security bulletins) includes what Microsoft calls "Defense in Depth" in that
it attempts to block ActiveX controls built on the flawed ATL.
Watch: Details about a vulnerability
will be presented soon.
Severity: Medium-High. If the update in
Microsoft security bulletin MS09-032
has been installed, systems are not vulnerable. The
allows consistent exploit code that is easy and reliable, but
there are no know exploits beyond those fixed
by Microsoft security bulletin MS09-032.
(A "watch" alert is for a situation that is not currently
being exploited--that we know about--but it is possible that it will be
Many non-Microsoft software products. Internet
Explorer adds defense in depth.
Vulnerabilities potentially exist in programs
written with the Microsoft Active Template Library (ATL) that could
allow code execution by browsing to a web site with malicious content.
At this time, no systematic attack is known to exist.
Some programmers might have used
Microsoft-supplied code (ATL) and might not realize that their code is
unsafe. Many different vendors’ code is likely to be found
vulnerable, and each will have to release a non-exploitable version if
theirs is vulnerable due to this issue.
The Visual Studio patch in Microsoft security bulletin MS09-035 addresses three flaws:
kill bit bypass, information disclosure, and remote code execution.
Microsoft said that consistent exploit code is easy and
reliable. The kill bit bypass flaw is being demonstrated at
the Blackhat conference this week. This update corrects the flawed template (ATL) so that any controls built from this template going
forward will be safe.
Microsoft security bulletin MS09-034 is a cumulative security
update for Internet Explorer (IE). It includes two types of what Microsoft
calls "Defense in Depth". It also includes fixes for three vulnerabilities in IE.
Defense in Depth is designed to protect customers from Web-based
attacks. This part of the patch does
not address a flaw in IE. It does not address the underlying
vulnerabilities and developers still need to release updates for any
components or controls that have the ATL vulnerability.
The first defense in depth measure monitors calls to ActiveX controls and prevents controls from executing that
are found to have been developed with the flawed ATL. Some security researchers found that they were able to bypass the kill bit
function and execute certain controls. The IE cumulative security update protects against the kill bit bypass problem.
second defense in depth measure provides stronger protection, but
increases application compatibility risk. It is disabled by
default. It implements an allow list for ActiveX controls.
The IE cumulative security update is not just the defense in depth
updates, but also includes updates for three remote code execution
How Do I Protect My Computer
your system has Microsoft Automatic Update enabled, you have (or very
soon will get) the update for Internet Explorer that provides defense
for future exploits of the ATL vulnerability. You will need
to restart your PC for this update to take effect.
your systems already have the patch in Microsoft security
bulletin MS09-032 installed, you are
protected from current exploits and the vulnerabilities in Microsoft
products. To get defense from exploits of non-Microsoft software
products, install the update in Microsoft security
bulletin MS09-034. We do not
believe that this update requires an emergency deployment and can be
scheduled for some time in the next few days (but before new
exploits can be effective).
ultimate solution to all these ActiveX control vulnerabilities might be
to take a "white list" approach and allow only known good ActiveX
controls that an administrator approves (via a GPO). (This is the
opposite of the current kill bit method where known bad ActiveX
controls are prevented from running.) Microsoft
added a feature to do white listing of ActiveX controls in the IE
Cumulative Security Update. (This feature
is disabled by default.) Of course the problem with such an
approach is keeping up with the list of ActiveX controls that all your
users will need to have approved.
The update in Microsoft security
bulletin MS09-035 is intended for
developers. Unless you are a software developer, you do not need to
install this update.
Microsoft Security Advisory:
Microsoft Security Bulletins:
Cumulative Security Update for Internet Explorer: http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
Vulnerabilities in Visual Studio Active
Template Library Could Allow Remote
Code Execution: http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
IT Professional Services
is closely monitoring the development of this situation. Since all of
managed care are
up-to-date on security updates, it appears that an emergency deployment
of this update will not be necessary unless other exploits make use of
a vulnerability. Should it become
necessary, ITPS will be
prepared to perform an emergency deployment of the update to
protect all systems under
managed care and will deploy the update within a few days of its release (most likely in conjunction with the Adobe Flash vulnerability for which we are expecting an update from Adobe in the next few days.
If you need assistance installing protection from
this vulnerability or a security assessment, IT
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.