Security Alerts

Security Watch: Microsoft Out-of-Band Patches for ATL
7/28/2009

Microsoft released two security bulletins today--one Internet Explorer bulletin and one Visual Studio bulletin--in a so called Out-of-Band release (outside their normal schedule of the second Tuesday of each month).  We previously warned that the flaw in Microsoft Video ActiveX control is deeper than the patch in Microsoft security bulletin MS09-032. These two security bulletins address that deeper flaw.

The fact that these security bulletins were released out-of-band is an indication that Microsoft feels that the fix needs to be installed right away. Why the fixes are so urgent is not immediately clear since Microsoft stated that if the patch in Microsoft security bulletin MS09-032 has been installed, systems are not vulnerable and there are currently no other know exploits.  The underlying flaw in the Visual Studio Active Template Library (ATL) is being presented at the Black Hat conference in Las Vegas this week (on Wednesday).  We now suspect that the urgency of Microsoft's out-of-band release is to provide defense from exploits created based on the information that will be disclosed at the Black Hat conference.

The scope of the flaw in ATL is huge because it affects not only Microsoft products, but also any component or control developed using the flawed ATL.  It will take time for developers to release updates to their products that use the ATL without the flaw.

The second of the two security bulletins released today (the one that patches Visual Studio ATL) is the root cause of the flaw.  The cumulative security update for Internet Explorer (the first of the two security bulletins) includes what Microsoft calls "Defense in Depth" in that it attempts to block ActiveX controls built on the flawed ATL.

Threat Level

Watch:  Details about a vulnerability will be presented soon.

(A "watch" alert is for a situation that is not currently being exploited--that we know about--but it is possible that it will be exploited soon.)

Affected Software

Analysis

Vulnerabilities potentially exist in programs written with the Microsoft Active Template Library (ATL) that could allow code execution by browsing to a web site with malicious content. At this time, no systematic attack is known to exist.

Some programmers might have used Microsoft-supplied code (ATL) and might not realize that their code is unsafe.  Many different vendors’ code is likely to be found vulnerable, and each will have to release a non-exploitable version if theirs is vulnerable due to this issue. 

The Visual  Studio patch in Microsoft security bulletin MS09-035 addresses three flaws: kill bit bypass, information disclosure, and remote code execution. Microsoft said that consistent exploit code is easy and reliable.  The kill bit bypass flaw is being demonstrated at the Blackhat conference this week.  This update corrects the flawed template (ATL) so that any controls built from this template going forward will be safe. 

Microsoft security bulletin MS09-034 is a cumulative security update for Internet Explorer (IE).  It includes two types of what Microsoft calls "Defense in Depth".  It also includes fixes for three vulnerabilities in IE.

Defense in Depth is designed to protect customers from Web-based attacks. This part of the patch does not address a flaw in IE. It does not address the underlying vulnerabilities and developers still need to release updates for any components or controls that have the ATL vulnerability.

The first defense in depth measure monitors calls to ActiveX controls and prevents controls from executing that are found to have been developed with the flawed ATL. Some security researchers found that they were able to bypass the kill bit function and execute certain controls.  The IE cumulative security update protects against the kill bit bypass problem.

The second defense in depth measure provides stronger protection, but increases application compatibility risk.  It is disabled by default.  It implements an allow list for ActiveX controls.

The IE cumulative security update is not just the defense in depth updates, but also includes updates for three remote code execution vulnerabilities.

How Do I Protect My Computer

If your system has Microsoft Automatic Update enabled, you have (or very soon will get) the update for Internet Explorer that provides defense for future exploits of the ATL vulnerability.  You will need to restart your PC for this update to take effect.

If your systems already have the patch in Microsoft security bulletin MS09-032 installed, you are protected from current exploits and the vulnerabilities in Microsoft products.  To get defense from exploits of non-Microsoft software products, install the update in Microsoft security bulletin MS09-034.  We do not believe that this update requires an emergency deployment and can be scheduled for some time in the next few days (but before new exploits can be effective).

The ultimate solution to all these ActiveX control vulnerabilities might be to take a "white list" approach and allow only known good ActiveX controls that an administrator approves (via a GPO).  (This is the opposite of the current kill bit method where known bad ActiveX controls are prevented from running.)  Microsoft added a feature to do white listing of ActiveX controls in the IE Cumulative Security Update.  (This feature is disabled by default.)  Of course the problem with such an approach is keeping up with the list of ActiveX controls that all your users will need to have approved.

The update in Microsoft security bulletin MS09-035 is intended for developers. Unless you are a software developer, you do not need to install this update.

More Information

Microsoft Security Advisory:
http://www.microsoft.com/technet/security/advisory/973882.mspx

Microsoft Security Bulletins:

Cumulative Security Update for Internet Explorer: http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx

Vulnerabilities in Visual Studio  Active Template Library  Could  Allow  Remote  Code Execution:  http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

Managed Services

IT Professional Services is closely monitoring the development of this situation. Since all of systems under managed care are up-to-date on security updates, it appears that an emergency deployment of this update will not be necessary unless other exploits make use of a vulnerability.  Should it become necessary, ITPS will be prepared to perform an emergency deployment of the update to protect all systems under managed care and will deploy the update within a few days of its release (most likely in conjunction with the Adobe Flash vulnerability for which we are expecting an update from Adobe in the next few days.

Professional Services

If you need assistance installing protection from this vulnerability or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.