Microsoft rushes patches to fix 'big deal' programming flaw

Developers who used the buggy code 'library' must redo software, update customers

As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.

Microsoft has been working on the Visual Studio bugs, and coordinating with third-party developers who may have crafted vulnerable software using Visual Studio, since early 2008.

As some had speculated, Microsoft rushed the patches to users this week to preempt a presentation slated for tomorrow at Black Hat by several security researchers. They plan to demonstrate a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure.

"We put this out-of-cycle because we have seen at least one attack using an ATL vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said in an interview today. "And there was more speculation and more details being released before Black Hat. We had the patches ready for broad release, so we decided to release them today."

Without the pressure from Black Hat, Microsoft would have waited until Aug. 11, when the company will release its next regularly-scheduled security update.

The two emergency updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE, added new defensive technology to the browser and patched three "moderate" bugs in Visual Studio.

But in an unusual reversal, Microsoft hinted -- and some researchers agreed -- that the moderate bugs may actually pose the more serious long-term threat. That's because the Visual Studio vulnerabilities are in a code "library," dubbed Active Template Library (ATL), that Microsoft and an unknown number of third-party developers used to create their own ActiveX controls and application components.

"ATL is a C++ library, and one that's pretty commonly used by developers," said Amol Sarwate, the manager of Qualys' vulnerability research lab.

"This will be one of those where users are vulnerable from hackers much longer than the usual," added John Pescatore, an analyst with Gartner. "This is a big deal. Microsoft may be fixing the underlying problem in ATL, and pushing out this shielding thing that will protect users of IE, but there's no way of knowing how many applications or controls have this flaw baked into them."

"This is a complex issue, providing a comprehensive response to a library vulnerability," Reavey acknowledged. "Library issues are hard to deal with, and take a lot of collaboration to resolve them." That's because a library flaw affects not just the development platform -- in this case Visual Studio -- but can also creep into the resulting code written with that platform.

Reavey admitted that it was difficult to tell how many developers had used the buggy ATL, and thus, how many vulnerable pieces of code are in circulation. In fact, Microsoft has not yet finished examining its own code for flaws. "We're still investigating," he said when asked whether Microsoft had found bugs in software such as Windows Media Player, which some researchers have pegged as including the vulnerable ATL code.

Microsoft urged developers to look at their software, and if necessary, recompile it with the patched ATL. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," said Microsoft in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.

The company will continue to work with third-party software makers to help them uncover bad ATL code, Reavey said, but he declined to name vendors that may be close to re-releasing patched ActiveX controls or applications.

To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey. He also confirmed that the IE update prevents attackers from using the "kill-bit bypass" technique that Ryan Smith of VeriSign iDefense, and Mark Dowd and David Dewey with IBM Internet Security Systems' X-Force, will demonstrate Wednesday at Black Hat.

The additions to IE don't block all vulnerable ActiveX controls, admitted Reavey, but instead check to see whether those controls are using specific methods known to trigger the bugs; it then blocks those that are. Some of the blocking technology is turned on by default, but other pieces, including one Microsoft itself called a "heavy hammer," have been left off. Developers can opt-in to that "hammer" by adding code to their ActiveX controls.

Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users are between a rock and a hard place. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."

Microsoft also issued the IE update to give readers a secure browser, since IE itself was compiled using the vulnerable ATL, said Sarwate. "IE must [have been] compiled using vulnerable [ATL] libraries, due to which it is vulnerable to the three [vulnerabilities] in MS09-034," he said in a follow-up e-mail Tuesday. "That's how the two bulletins are related."

The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the CSO newsletter!

Error: Please check your email address.

Tags visual studioMicrosoftblack hatactivexmicrosoft patchesInternet Explorer

More about ATLGartnerIBM AustraliaIBM AustraliaiDefenseInternet Security SystemsMicrosoftnCircleQualysSecurity SystemsVeriSign AustraliaX-Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Computerworld Staff

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts