Microsoft rushes patches to fix 'big deal' programming flaw
Developers who used the buggy code 'library' must redo software, update customers
Computerworld - As promised, Microsoft Corp. today patched six vulnerabilities in Internet Explorer and Visual Studio with the first "out-of-cycle" update since last October, when it plugged a hole that the Conficker worm later used to run rampant.
Microsoft has been working on the Visual Studio bugs, and coordinating with third-party developers who may have crafted vulnerable software using Visual Studio, since early 2008.
As some had speculated, Microsoft rushed the patches to users this week to preempt a presentation slated for tomorrow at Black Hat by several security researchers. The researchers plan to demonstrate a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure for fixing bugs.
"We put this out of cycle because we have seen at least one attack using an ATL vulnerability," Mike Reavey, director of the Microsoft Security Response Center (MSRC), said in an interview today. "And there was more speculation and more details being released before Black Hat. We had the patches ready for broad release, so we decided to release them today."
Without the pressure from Black Hat, Microsoft would have waited until Aug. 11, when the company will issue its next regularly-scheduled security update.
But in an unusual reversal, Microsoft hinted -- and some researchers agreed -- that the moderate bugs might actually pose the more serious long-term threat. That's because the Visual Studio vulnerabilities are in a code "library," dubbed Active Template Library (ATL), that Microsoft and an unknown number of third-party developers used to create their own ActiveX controls and application components.
"ATL is a C++ library, and one that's pretty commonly used by developers," said Amol Sarwate, the manager of Qualys Inc.'s vulnerability research lab.
"This will be one of those where users are vulnerable from hackers much longer than the usual," added John Pescatore, an analyst at Gartner Inc. "This is a big deal. Microsoft may be fixing the underlying problem in ATL and pushing out this shielding thing that will protect users of IE, but there's no way of knowing how many applications or controls have this flaw baked into them."
"This is a complex issue, providing a comprehensive response to a library vulnerability," Reavey acknowledged. "Library issues are hard to deal with, and take a lot of collaboration to resolve them." That's because a library flaw affects not just the development platform -- in this case Visual Studio -- but can also creep into the resulting code written with that platform.
- N.C. State researchers devise tool that detects Android malware
- Encrypted communications to take center stage at Cebit
- The tangled tale of Mt. Gox's missing millions
- NSA used 'European bazaar' to spy on EU citizens
- Trust issue looms large for tech companies capitalizing on personal data
- Groups ask FTC to investigate Facebook's purchase of WhatsApp
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Cisco patches flaws in routers, wireless LAN controllers
- Tracking metadata can be useful -- and proper
- CIO not the only one to blame for Target breach
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts