Microsoft rushes patches to fix 'big deal' programming flaw
Developers who used the buggy code 'library' must redo software, update customers
Computerworld - As promised, Microsoft Corp. today patched six vulnerabilities in Internet Explorer and Visual Studio with the first "out-of-cycle" update since last October, when it plugged a hole that the Conficker worm later used to run rampant.
Microsoft has been working on the Visual Studio bugs, and coordinating with third-party developers who may have crafted vulnerable software using Visual Studio, since early 2008.
As some had speculated, Microsoft rushed the patches to users this week to preempt a presentation slated for tomorrow at Black Hat by several security researchers. The researchers plan to demonstrate a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure for fixing bugs.
"We put this out of cycle because we have seen at least one attack using an ATL vulnerability," Mike Reavey, director of the Microsoft Security Response Center (MSRC), said in an interview today. "And there was more speculation and more details being released before Black Hat. We had the patches ready for broad release, so we decided to release them today."
Without the pressure from Black Hat, Microsoft would have waited until Aug. 11, when the company will issue its next regularly-scheduled security update.
But in an unusual reversal, Microsoft hinted -- and some researchers agreed -- that the moderate bugs might actually pose the more serious long-term threat. That's because the Visual Studio vulnerabilities are in a code "library," dubbed Active Template Library (ATL), that Microsoft and an unknown number of third-party developers used to create their own ActiveX controls and application components.
"ATL is a C++ library, and one that's pretty commonly used by developers," said Amol Sarwate, the manager of Qualys Inc.'s vulnerability research lab.
"This will be one of those where users are vulnerable from hackers much longer than the usual," added John Pescatore, an analyst at Gartner Inc. "This is a big deal. Microsoft may be fixing the underlying problem in ATL and pushing out this shielding thing that will protect users of IE, but there's no way of knowing how many applications or controls have this flaw baked into them."
"This is a complex issue, providing a comprehensive response to a library vulnerability," Reavey acknowledged. "Library issues are hard to deal with, and take a lot of collaboration to resolve them." That's because a library flaw affects not just the development platform -- in this case Visual Studio -- but can also creep into the resulting code written with that platform.
- Tor Project working to fix weakness that can unmask users
- Virtru launches business email encryption service for Google Apps
- Black Hat presentation on TOR suddenly cancelled
- Goodwill Industries probes possible payment card breach
- Stealthy Web tracking tools pose increasing privacy risks to users
- AirMagnet Wi-Fi security tool takes aim at drones
- EFF releases Chrome, Firefox plugin to block third-party tracking
- Open Wireless Router project aims for better router security, network performance
- Stealthy ransomware 'Critroni' uses Tor, could replace Cryptolocker
- U.S. court says warrant for access to all content of email account is justified
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!