Microsoft
Here are some of the key reasons why you would want to run Unified Access Gateway with DirectAccess.
Extra '&' in Microsoft development code gave hackers IE exploit
Company's security development expert confirms reports by outside researchers
July 29, 2009 07:33 AM ETSecurity Alert
- Chinese artist-dissident lauds Google plan to stop censoring
- New Russian botnet tries to kill rival
- Encryption vendor files patent lawsuit against tech giants
- U.S. plans national climate service
- Ksplice debuts zero downtime service for Linux
- Start-up Nasuni links VMware with Amazon to create secure cloud storage
- PC Maintenance: What Tasks When?
- An open letter to my public transit company
- Why CSOs Should Care About ShmooCon
- Malwarebytes' Anti-Malware Free
Computerworld - Microsoft yesterday confirmed that a single superfluous character in its own development code is responsible for the bug that has let hackers exploit Internet Explorer (IE) since early July.
A pair of German researchers who analyzed a vulnerability in a Microsoft-made ActiveX control came to the same conclusion three weeks ago.
"The bug is simply a typo," Michael Howard, a principal security program manager in Microsoft's security engineering and communications group, said in a post Tuesday to the Security Development Lifecycle (SDL) blog. Howard, who is probably best known for co-authoring Writing Secure Code, went on to say that the typo -- an errant "&" character -- is the "core issue" in the MSVidCtl ActiveX control.
That video-streaming control was created by Microsoft using a modified version of an older edition of a code "library," dubbed Active Template Library (ATL), that Microsoft admitted Tuesday contained multiple vulnerabilities. Also on Tuesday, Microsoft patched Visual Studio, the company's development platform that contains ATL. Those patches, however, do not automatically fix software that was developed using the buggy ATL. Instead, vendors -- Microsoft as well as third-party firms -- must use the patched Visual Studio to recompile their code, then distribute the new, secure software to users.
Howard said that the bug in the MSVidCtl ActiveX control was introduced by an internal version of ATL, not one that was available to outside developers.
Others at Microsoft drew a direct line between the ATL bug Howard described to the public exploits hackers have been using for much of this month, including drive-by attacks conducted from thousands of compromised Web sites.
"This public exploit took advantage of the fact that MSVidCtl uses a modified version of vulnerable ATL headers," said Fermin Serna, an engineer in the Microsoft Security Research Center (MSRC), in a blog post earlier Tuesday. "In this specific instance, the vulnerability allows an attacker to corrupt memory which may lead to a remote code execution," added Serna.
Microsoft
Additional Resources
Microsoft
Review how one energy firm tightened protection and simplified IT work using business-ready security solutions.
Sybase
In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.
Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
Computerworld Reports
Sign up to receive updates on the latest Security resources
