Researcher: Microsoft may launch 'month of ATL' patches on Tuesday

Advance notice offers clues Microsoft will update software hit by deep dev bug

1 2 Page 2
Page 2 of 2

Today's Bulletin 5 looks like the most likely candidate, he said. That bulletin will patch Outlook Express, an entry-level e-mail client Microsoft used to bundle with Windows, as well as update the two newest versions of Windows Media Player. "They could be patching applications that linked to the old library," said Storms, talking about Active Template Library, or ATL. "I wouldn't be surprised if this goes on for a number of months as they go back and check their software."

Just over a week ago, Microsoft rushed a pair of emergency updates to users that plugged multiple holes in IE and Visual Studio. Those vulnerabilities were traced to ATL, a library used by Microsoft and an unknown number of third-party developers to create ActiveX controls and application components. Adobe, for instance, admitted its Flash Player and Shockwave Player were developed using the buggy ATL, and updated both applications late last week after recompiling them with a patched ATL.

Another clue about a connection between Bulletin 5 and ATL comes from a pair of German security researchers, who in early July claimed that several pieces of Microsoft-made software, including Windows Media Player, had used ATL.

The mention of Remote Desktop Connection Client for Mac in Bulletin 2, also hints at an ATL fix. "Client and server side of that equation," said Storms in an instant message follow-up. "Hmm...and remote code [executable], too. It sounds like it's related to the entire Remote Desktop Services."

Remote Desktop Services, which is present on both client and server versions of Windows, is used to access applications and data on a remote system over a network. It was formerly called Terminal Services, which was another Windows component fingered as containing the flawed ATL code by the German researchers.

"I wonder if we aren't looking at an entire month of ATL fixes," said Storms. "One thing I noticed at Black Hat [was that] I didn't see any MSRC [Microsoft Security Response Center] people at the Dowd et al talk when they talked about this [ATL] bug," he added, referring to the Las Vegas security conference that wrapped up a week ago, and a presentation by Mark Dowd, Ryan Smith and David Dewey. "[That] would lead one to believe that [Microsoft had] already worked the issue internally [and that] it was behind them."

But it's impossible to tell the specific components within Windows that Microsoft will patch, and thus what risk users face, until next Tuesday, Storms argued. "It looks like they'll be patching core parts of the operating system," he said. "Sometimes that's a little more worrisome than when Microsoft patches a single application, like IE, because if there's a problem with the patch, the entire OS could go down into a Blue Screen of Death."

Microsoft will release the nine updates at approximately 1 p.m. ET on Aug. 11.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon