Microsoft delivers emergency patches to IE, code library
Developers who used the buggy library must redo their software, update customers
Computerworld - As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.
The two updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE and three "moderate" bugs in Visual Studio. But in an unusual reversal, Microsoft hinted that the bugs tagged as moderate may actually be the most serious of the lot.
That's because the Visual Studio bugs were, as three researchers claimed earlier this week, in a code "library" dubbed Active Template Library (ATL). That library was used by Microsoft and an unknown number of third-party developers to create ActiveX controls and components of their applications.
"This is a complex issue, providing a comprehensive response to a library vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said today. "Library issues are hard to deal with, and take a lot of collaboration to resolve...."
That's because, by definition, a library is used by developers to crank out their own code. So a flaw in the library means that the resulting programming product -- an ActiveX control or a .dll necessary for an application -- also contains the flaw.
Microsoft made that clear, although the phrasing was dense. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," the company said in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.
The company also launched a Web site dedicated to the ATL bugs today.
To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey.
The additions to IE don't block all vulnerable ActiveX controls, he admitted, but instead check to see whether those controls use specific methods known to trigger the bugs; it then blocks those that do. In places, Microsoft described the protection vaguely, calling it a "new defense-in-depth technology."
Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users were between a rock and a hard place today. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."
Reavey acknowledged that it's difficult to tell how many developers used the buggy ATL, and thus how many vulnerable pieces of code may be in circulation.
Microsoft is continuing to investigate its own code for uses of the flawed library, Reavey added -- some researchers said earlier this month that both Windows XP and Vista contain critical files harboring the bugs -- and is working with third-party software makers to help them uncover bad code.
The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!