Microsoft rushes clutch patch for 'deep' bug in Windows, third-party apps

Computerworld - The emergency patches Microsoft plans to rush out this week will fix a flaw that runs through several critical components of Windows and an unknown number of third-party applications, according to a pair of security researchers.

On Tuesday, Microsoft will slap a permanent patch on a video streaming ActiveX control used by Internet Explorer (IE), addressing a vulnerability that it has known about, but not fixed, for more than a year. Two weeks ago, Microsoft issued a "kill bit" update that, rather than address the underlying problem, disabled the ActiveX control to stymie attacks that were already in progress. It's also slated a fix for Visual Studio, Microsoft's popular development platform.

Although Microsoft has not spelled out exactly what it will patch with the two "out-of-band" updates -- the term for security updates released outside the company's once-a-month schedule -- earlier this month researchers pointed fingers at the Active Template Library (ATL), a code "library" used not only by Microsoft's own developers, but also by third-party software programmers to access some features within Windows.

Two German researchers -- Thomas Dullien, the CEO and head of research at Zynamics GmbH, and Dennis Elser -- dug into the bug within the ActiveX control, the "msvidctl.dll" file, that streams video content. They found that it stemmed from a simple programming mistake in a function called "ATL::CComVariant::ReadFromStream."

"Instead of passing a pointer to a data buffer to IStream::Read, it took the address of a (small) local variable, and passes this address as output buffer to IStream::Read, along with a length read from the stream previously," said Dullien, who goes by the moniker "Halvar Flake" when writing about security vulnerabilities. "Somebody clearly got confused," he added in a blog entry posted July 9.

The result? Although Microsoft shut off current attacks against the ActiveX control, the programming mistake is present in several other Windows files -- at least five in XP, at least 13 in Vista -- including ones crucial to IE, Windows Media Player and Terminal Services.

"The bug is actually much 'deeper' than most people realize," said Dullien, "[and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue."

Additionally, said Dullien and Elser, third-party developers may have used the same flawed library to create their own applications. "The bug might have weaseled its way into third-party components, if anyone outside of Microsoft had access to the broken ATL versions," said Dullien. "If this has happened, Microsoft might have accidentally introduced security vulnerabilities into third-party products." Dullien claimed that older versions of Adobe's Flash contained the vulnerability.