Earlier this afternoon Microsoft released MS09-034 and MS09-035, which address vulnerabilities discovered in the Microsoft Active Template Library (ATL). The two bulletins, one for Internet Explorer and one for Microsoft Visual Studio, are hailed as pro-active measures by Microsoft, while one security vendor wonders if software vendors are more vulnerable than they were previously.
Microsoft makes good on promise of out-of-band patches.(IMG:J.Anderson)
Starting with the patches, Microsoft has made a ton of information available, and there is a lot of rumor and speculation about the kill bit bypass vulnerability. The hope is that the vast amounts of information will help administrators and developers alike. (The entire list of information and resources can be found here.)
"The out-of-band release significantly impacts both the MS development community and the IT community. Developers need to update any COM and ActiveX elements of there offerings and issue immediate updates," said Don Leatham of Lumension, adding that IT administrators should patch Internet Explorer quickly and review Web applications for ActiveX use.
"If there are any such web applications, the vendor should be contacted immediately to see when a new version of the ActiveX control that includes today’s updates will be available," he said.
MS09-034 is rated critical by Microsoft and aimed at both IT and consumers. MS09-035, rated moderate, is aimed primarily at developers and IT, as it addresses the vulnerabilities in Microsoft Visual Studio 2005 and 2008. As mentioned in earlier reports on the out-of-band patches, MS09-032, released earlier this month, protected against the known attacks.
“While all known attacks have been blocked with the release of MS09-032, rather than waiting for more risk and attacks on ATL vulnerabilities, we decided to proactively release these security updates to help protect customers and mitigate the risk in a more controlled manner,” wrote Jonathan Ness, MSRC Engineering, on the SRD Blog.
This announcement, and the release of a stronger fix, is seen by nCircle’s Tyler Reguly as a good thing. “I'm glad to see that Microsoft rushed out protection against the ActiveX Kill bits bypass. I've been vocal in the past about my concern over ‘placebo patches’ (MS09-032 for example), and this bypass proved that my concern was well placed,” he said.
“My only hope is that Microsoft won't see the fixing of this bypass as a valid excuse to continue to publish these ‘placebo patches’. With luck, hopefully this means they will always take the response of issuing a proper patch.”
Overall however, Reguly has some strong opinions about today’s events from Microsoft. One of the points raised centers on exactly what was done to mitigate the vulnerabilities.
“Although Microsoft has protected against the kill bit bypass and has patched the public ATL vulnerabilities, there has been no mention or reference to fixing the issue in msvidctl.dll itself. They have stated that MS09-034 will ‘help protect against exploitation’, but they have not officially stated that a proper patch is available or will be made available,” he said.
Adding to this, Reguly shows some worries about development tools and criminals doing what they always do, namely reverse engineer patches looking for ways to exploit what was patched. “One has to question what the release of the ATL patch (MS09-035) means for other software vendors. We also have to wonder if they are now more vulnerable than they were previously.”
“They now have to obtain this patch and recompile and release their tools. This means until that process can occur; malicious individuals can reverse the patches to pinpoint each of the vulnerabilities and target third party software. It's a race to see who will get there first, and the vendors didn't get a head start,” he added.
“I would advise IE users to install MS09-034 as soon as possible. I'm not sure that I agree with Microsoft's labeling of the IE vulnerabilities as critical and the ATL vulnerabilities as moderate, but this falls back to Microsoft's habitual misuse of ‘Remote Code Execution.’,” Reguly advised.
“However, I'd still suggest patching as soon as possible. IE has such a large presence that it should not go unpatched for long.”
The full details of July’s bulletins are here, including today’s releases.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story