Menu
Microsoft delivers emergency patches to IE, code library

Microsoft delivers emergency patches to IE, code library

Developers who used the buggy library must redo their software, update customers

As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.

The two updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE and three "moderate" bugs in Visual Studio. But in an unusual reversal, Microsoft hinted that the bugs tagged as moderate may actually be the most serious of the lot.

That's because the Visual Studio bugs were, as three researchers claimed earlier this week, in a code "library" dubbed Active Template Library (ATL). That library was used by Microsoft and an unknown number of third-party developers to create ActiveX controls and components of their applications.

"This is a complex issue, providing a comprehensive response to a library vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said today. "Library issues are hard to deal with, and take a lot of collaboration to resolve...."

That's because, by definition, a library is used by developers to crank out their own code. So a flaw in the library means that the resulting programming product -- an ActiveX control or a .dll necessary for an application -- also contains the flaw.

Microsoft made that clear, although the phrasing was dense. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," the company said in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.

The company also launched a Web site dedicated to the ATL bugs today.

To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey.

The additions to IE don't block all vulnerable ActiveX controls, he admitted, but instead check to see whether those controls use specific methods known to trigger the bugs; it then blocks those that do. In places, Microsoft described the protection vaguely, calling it a "new defense-in-depth technology."

Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users were between a rock and a hard place today. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."

Reavey acknowledged that it's difficult to tell how many developers used the buggy ATL, and thus how many vulnerable pieces of code may be in circulation.

Microsoft is continuing to investigate its own code for uses of the flawed library, Reavey added -- some researchers said earlier this month that both Windows XP and Vista contain critical files harboring the bugs -- and is working with third-party software makers to help them uncover bad code.

The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments