As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.
Microsoft has been working on the Visual Studio bugs, and coordinating with third-party developers who may have crafted vulnerable software using Visual Studio, since early 2008.
As some had speculated, Microsoft rushed the patches to users this week to preempt a presentation slated for tomorrow at Black Hat by several security researchers. They plan to demonstrate a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure.
"We put this out-of-cycle because we have seen at least one attack using an ATL vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said in an interview today. "And there was more speculation and more details being released before Black Hat. We had the patches ready for broad release, so we decided to release them today."
Without the pressure from Black Hat, Microsoft would have waited until Aug. 11, when the company will release its next regularly-scheduled security update.
But in an unusual reversal, Microsoft hinted -- and some researchers agreed -- that the moderate bugs may actually pose the more serious long-term threat. That's because the Visual Studio vulnerabilities are in a code "library," dubbed Active Template Library (ATL), that Microsoft and an unknown number of third-party developers used to create their own ActiveX controls and application components.
"ATL is a C++ library, and one that's pretty commonly used by developers," said Amol Sarwate, the manager of Qualys' vulnerability research lab.
"This will be one of those where users are vulnerable from hackers much longer than the usual," added John Pescatore, an analyst with Gartner. "This is a big deal. Microsoft may be fixing the underlying problem in ATL, and pushing out this shielding thing that will protect users of IE, but there's no way of knowing how many applications or controls have this flaw baked into them."
"This is a complex issue, providing a comprehensive response to a library vulnerability," Reavey acknowledged. "Library issues are hard to deal with, and take a lot of collaboration to resolve them." That's because a library flaw affects not just the development platform -- in this case Visual Studio -- but can also creep into the resulting code written with that platform.
Reavey admitted that it was difficult to tell how many developers had used the buggy ATL, and thus, how many vulnerable pieces of code are in circulation. In fact, Microsoft has not yet finished examining its own code for flaws. "We're still investigating," he said when asked whether Microsoft had found bugs in software such as Windows Media Player, which some researchers have pegged as including the vulnerable ATL code.
Microsoft urged developers to look at their software, and if necessary, recompile it with the patched ATL. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," said Microsoft in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.
The company will continue to work with third-party software makers to help them uncover bad ATL code, Reavey said, but he declined to name vendors that may be close to re-releasing patched ActiveX controls or applications.
To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey. He also confirmed that the IE update prevents attackers from using the "kill-bit bypass" technique that Ryan Smith of VeriSign iDefense, and Mark Dowd and David Dewey with IBM Internet Security Systems' X-Force, will demonstrate Wednesday at Black Hat.
The additions to IE don't block all vulnerable ActiveX controls, admitted Reavey, but instead check to see whether those controls are using specific methods known to trigger the bugs; it then blocks those that are. Some of the blocking technology is turned on by default, but other pieces, including one Microsoft itself called a "heavy hammer," have been left off. Developers can opt-in to that "hammer" by adding code to their ActiveX controls.
Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users are between a rock and a hard place. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."
Microsoft also issued the IE update to give readers a secure browser, since IE itself was compiled using the vulnerable ATL, said Sarwate. "IE must [have been] compiled using vulnerable [ATL] libraries, due to which it is vulnerable to the three [vulnerabilities] in MS09-034," he said in a follow-up e-mail Tuesday. "That's how the two bulletins are related."
The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.