Microsoft delivers emergency patches to IE, code library
Developers who used the buggy library must redo their software, update customers
Computerworld - As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.
The two updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE and three "moderate" bugs in Visual Studio. But in an unusual reversal, Microsoft hinted that the bugs tagged as moderate may actually be the most serious of the lot.
That's because the Visual Studio bugs were, as three researchers claimed earlier this week, in a code "library" dubbed Active Template Library (ATL). That library was used by Microsoft and an unknown number of third-party developers to create ActiveX controls and components of their applications.
"This is a complex issue, providing a comprehensive response to a library vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said today. "Library issues are hard to deal with, and take a lot of collaboration to resolve...."
That's because, by definition, a library is used by developers to crank out their own code. So a flaw in the library means that the resulting programming product -- an ActiveX control or a .dll necessary for an application -- also contains the flaw.
Microsoft made that clear, although the phrasing was dense. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," the company said in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.
The company also launched a Web site dedicated to the ATL bugs today.
To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey.
The additions to IE don't block all vulnerable ActiveX controls, he admitted, but instead check to see whether those controls use specific methods known to trigger the bugs; it then blocks those that do. In places, Microsoft described the protection vaguely, calling it a "new defense-in-depth technology."
Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users were between a rock and a hard place today. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."
Reavey acknowledged that it's difficult to tell how many developers used the buggy ATL, and thus how many vulnerable pieces of code may be in circulation.
Microsoft is continuing to investigate its own code for uses of the flawed library, Reavey added -- some researchers said earlier this month that both Windows XP and Vista contain critical files harboring the bugs -- and is working with third-party software makers to help them uncover bad code.
The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts