Microsoft made good on its promise to deliver two out-of-band security bulletins July 28 that cover vulnerabilities in Internet Explorer and Visual Studio.
All told, the bulletins cover six bugs in IE and Visual Studio. MS09-035, the Visual Studio bulletin, provides an updated copy of the ATL (Active Template Library) that swats three bugs in the library.
The nature of ATL, which is used by both Microsoft and third-party developers to build ActiveX controls and components of applications, means that any bug in the library could be passed on to applications developed using it, explained Shavlik Technologies CTO Eric Schultze.
“Some years ago, a flaw was introduced in the development tools maintained by Microsoft,” Schultze said in a statement. “This flaw was in a ‘template’ that helps developers create ActiveX controls. Any control built using this flawed template might be exposed to the security vulnerabilities discussed in today’s bulletins.”
Microsoft advised developers that built controls or components with ATL to evaluate their controls for the vulnerabilities. But the company did not stop there-it also issued an update for IE intended to shut the door on attackers.
“As a defense-in-depth measure, this security update (MS09-034) helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with the versions of ATL described in Microsoft Security Advisory (973882) and MS09-035,” according to the advisory.
The IE update also aims to block exploitation of the ActiveX killbit-bypassing vulnerability slated to be discussed July 29 at the Black Hat security conference in Las Vegas. The killbit feature blocks GUIDs (globally unique identifiers) assigned by Windows Registry so that certain software cannot be run. If the attack to be discussed at Black Hat is effective, it could give hackers the ability to get around killbit instructions to exploit ActiveX vulnerabilities previously thought to be patched.
“To date, Microsoft has issued 175 killbits via their cumulative killbit patches,” Schultze said. “However some security researchers found that … the same ATL flaws we were talking about earlier allowed them to bypass the killbit on controls that were built with the flawed templates. In other words, if you installed MS09-032 to protect yourself from the Video control exploit, there is a chance that someone could still execute this attack against you because they bypassed the killbits set in the 09-032 patch.”
