Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Watch: Vulnerability in Microsoft Video ActiveX Deeper Than Current Fix
Updated 7/24/2009

The vulnerability in the Microsoft Video ActiveX control that is being exploited on the Internet, which we previously warned about, and for which Microsoft released security bulletin MS09-032 on so-called Patch Tuesday in July, goes deeper than most people realized.  Microsoft announced that they are planning an out-of-band security update that we are assuming is to fix this vulnerability, not just avoid it as the previous patch did.

The patch in Microsoft security bulletin MS09-032 does not fix the vulnerability, it only sets the kill bit for the ActiveX controls to prevent those particular ActiveX controls from running in Internet Explorer.  There are likely many other ways of triggering the vulnerability.  It is also possible that the vulnerability has been introduced into non-Microsoft products.

There is now speculation that Microsoft is working on a fix for the deeper problem and, if exploits of the deeper flaw occur, Microsoft might release an out-of-band patch.

Threat Level

Watch:  Details about a vulnerability have been published.

(A "watch" alert is for a situation that is not currently being exploited--that we know about--but it is possible that it will be exploited soon.)

Severity:  Medium.  The current exploit could allow complete control over the computer if the user has local administrator rights.

Affected Software

Many, possibly including non-Microsoft software.

Analysis

Researcher Halvar Flake found that the problem is in a code library that is used in many places in Windows (not just the video ActiveX controls) and might have been provided to third-party software developers.  To make matters worse, the library is statically linked, which will make it much harder to patch all the places that the errant library has been copied.  (Many third-party software developers will have to release a patch.)

Halvar Flake published some details about the flaw in his blog.  While the details do not show a malicious person how to exploit the deeper flaw, the details will likely point  those who would exploit the flaw in the direction to go and makes other exploits of the deeper flaw likely sooner.  Microsoft asked Halvar Flake to not discuss any more details about the flaw.

The vulnerability deep inside Windows seems to be exploitable in various other ways, so setting a kill bit for a few ActiveX controls is not enough.  No wonder Microsoft took so long to release a fix for a vulnerability that they known about since at least April 2008

On Friday, July 24 2009, Microsoft released an advance notice that they are planning to release a so called out-of-band security bulletin on July 28, 2009.  (An "out-of-band" security bulletin is one that is not released on Microsoft's normally scheduled Patch Tuesday, the second Tuesday of each month.)  An out-of-band security bulletin is an indication of a serious problem that needs an immediate fix and cannot wait for the next Patch Tuesday.

The security bulletin advance notification says that Microsoft is planning to release an update to Internet Explorer and Visual Studio.  This is an indication that we can expect a rash of security updates to other (non-Microsoft) that are built using the vulnerable Visual Studio pieces.

The Microsoft Security Response Center (MSRC) blog says, "Customers who are up to date on their security updates are protected from know attacks related to this Out of Band release."  This seems to indicate that the scheduled security updates go further than the currently released updates, but that there are as of yet no known attacks that need the protection in the patches that are to be released out of band.  So you might be asking why is Microsoft making this out of band release.  First is to get out the tools to developers that are needed for them to fix this vulnerability in their applications.  Second is in indication that Microsoft apparently believes that there is a very good chance of that other methods of exploiting the underlying vulnerability are likely soon.  You can be sure that malicious people will attempt to reverse engineer the patch as soon as it is released and develop exploits of the underlying vulnerability.  So, apply the patch soon, maybe just not as an emergency.

More Information

Microsoft Advance Security Bulletin Notification:
http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx

Microsoft Blogs
MSRC Blog: http://blogs.technet.com/msrc/

Security Alerts
SANS: http://isc.sans.org/diary.html?storyid=6859

News
Washington Post: http://voices.washingtonpost.com/securityfix/
      2009/07/msft_scrambling_to_close_stubb.html?wprss=securityfix

Managed Services

IT Professional Services is closely monitoring the development of this situation. Since all of systems under managed care are up-to-date on security updates, it appears that an emergency deployment of this update will not be necessary unless other exploits make use of a vulnerability that is fixes by this patch but not the previously released patches.  Should it become necessary, ITPS will be prepared to perform an emergency deployment of the update to protect all systems under managed care.

Professional Services

If you need assistance installing protection from this vulnerability or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030