Microsoft issues two out-of-band security bulletins to address problems in Visual Studio and Internet Explorer. The patches address an attack that could bypass Microsoft's killbit security feature, and bugs in the Microsoft Active Template Library included with Visual Studio.
made good on its promise to deliver two out-of-band security
bulletins July 28 that cover vulnerabilities in Internet Explorer and Visual
All told, the bulletins cover six bugs in IE and Visual Studio. MS09-035,
the Visual Studio bulletin, provides an updated
copy of the ATL (Active Template Library)
that swats three bugs in the library.
The nature of ATL, which
is used by both Microsoft and third-party developers to build
ActiveX controls and components of applications, means that any bug
in the library could be passed on to applications developed using it,
explained Shavlik Technologies CTO Eric
"Some years ago, a flaw was introduced in the development tools
maintained by Microsoft," Schultze said in a statement. "This flaw
was in a 'template' that helps developers create ActiveX controls. Any control
built using this flawed template might be exposed to the security
vulnerabilities discussed in today's bulletins."
Microsoft advised developers that built controls or components with ATL
to evaluate their controls for the vulnerabilities. But the company did not
stop there-it also issued an update for IE intended to shut the door on
"As a defense-in-depth measure, this security update (MS09-034
helps mitigate known attack vectors within Internet Explorer for those
components and controls that have been developed with the versions of ATL
described in Microsoft
Security Advisory (973882)
and MS09-035," according to the
The IE update also aims to block exploitation of the ActiveX killbit-bypassing
vulnerability slated to be discussed July 29 at the Black Hat security conference
Vegas. The killbit feature blocks GUIDs (globally
unique identifiers) assigned by Windows Registry so that certain software
cannot be run. If the attack to be discussed at Black Hat is effective, it
could give hackers the ability to get around killbit instructions to exploit
ActiveX vulnerabilities previously thought to be patched.
"To date, Microsoft has issued 175 killbits via their cumulative
killbit patches," Schultze said. "However some security researchers
found that ... the same ATL flaws we were
talking about earlier allowed them to bypass the killbit on controls that were
built with the flawed templates. In other words, if you installed MS09-032 to
protect yourself from the Video control exploit, there is a chance that someone
could still execute this attack against you because they bypassed the killbits
set in the 09-032 patch."