Microsoft delivers emergency patches to IE, code library
Developers who used the buggy library must redo their software, update customers
Computerworld - As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.
The two updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE and three "moderate" bugs in Visual Studio. But in an unusual reversal, Microsoft hinted that the bugs tagged as moderate may actually be the most serious of the lot.
That's because the Visual Studio bugs were, as three researchers claimed earlier this week, in a code "library" dubbed Active Template Library (ATL). That library was used by Microsoft and an unknown number of third-party developers to create ActiveX controls and components of their applications.
"This is a complex issue, providing a comprehensive response to a library vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said today. "Library issues are hard to deal with, and take a lot of collaboration to resolve...."
That's because, by definition, a library is used by developers to crank out their own code. So a flaw in the library means that the resulting programming product -- an ActiveX control or a .dll necessary for an application -- also contains the flaw.
Microsoft made that clear, although the phrasing was dense. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," the company said in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.
The company also launched a Web site dedicated to the ATL bugs today.
To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey.
The additions to IE don't block all vulnerable ActiveX controls, he admitted, but instead check to see whether those controls use specific methods known to trigger the bugs; it then blocks those that do. In places, Microsoft described the protection vaguely, calling it a "new defense-in-depth technology."
Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users were between a rock and a hard place today. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."
Reavey acknowledged that it's difficult to tell how many developers used the buggy ATL, and thus how many vulnerable pieces of code may be in circulation.
Microsoft is continuing to investigate its own code for uses of the flawed library, Reavey added -- some researchers said earlier this month that both Windows XP and Vista contain critical files harboring the bugs -- and is working with third-party software makers to help them uncover bad code.
The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts