Microsoft rushes patches to fix 'big deal' programming flaw

Developers who used the buggy code 'library' must redo software, update customers

As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.

Microsoft has been working on the Visual Studio bugs, and coordinating with third-party developers who may have crafted vulnerable software using Visual Studio, since early 2008.

As some had speculated, Microsoft rushed the patches to users this week to preempt a presentation slated for tomorrow at Black Hat by several security researchers. They plan to demonstrate a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure.

"We put this out-of-cycle because we have seen at least one attack using an ATL vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said in an interview today. "And there was more speculation and more details being released before Black Hat. We had the patches ready for broad release, so we decided to release them today."

Without the pressure from Black Hat, Microsoft would have waited until Aug. 11, when the company will release its next regularly-scheduled security update.

The two emergency updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE, added new defensive technology to the browser and patched three "moderate" bugs in Visual Studio.

But in an unusual reversal, Microsoft hinted -- and some researchers agreed -- that the moderate bugs may actually pose the more serious long-term threat. That's because the Visual Studio vulnerabilities are in a code "library," dubbed Active Template Library (ATL), that Microsoft and an unknown number of third-party developers used to create their own ActiveX controls and application components.

"ATL is a C++ library, and one that's pretty commonly used by developers," said Amol Sarwate, the manager of Qualys' vulnerability research lab.

"This will be one of those where users are vulnerable from hackers much longer than the usual," added John Pescatore, an analyst with Gartner. "This is a big deal. Microsoft may be fixing the underlying problem in ATL, and pushing out this shielding thing that will protect users of IE, but there's no way of knowing how many applications or controls have this flaw baked into them."

"This is a complex issue, providing a comprehensive response to a library vulnerability," Reavey acknowledged. "Library issues are hard to deal with, and take a lot of collaboration to resolve them." That's because a library flaw affects not just the development platform -- in this case Visual Studio -- but can also creep into the resulting code written with that platform.

Reavey admitted that it was difficult to tell how many developers had used the buggy ATL, and thus, how many vulnerable pieces of code are in circulation. In fact, Microsoft has not yet finished examining its own code for flaws. "We're still investigating," he said when asked whether Microsoft had found bugs in software such as Windows Media Player, which some researchers have pegged as including the vulnerable ATL code.

Microsoft urged developers to look at their software, and if necessary, recompile it with the patched ATL. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," said Microsoft in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.

The company will continue to work with third-party software makers to help them uncover bad ATL code, Reavey said, but he declined to name vendors that may be close to re-releasing patched ActiveX controls or applications.

To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey. He also confirmed that the IE update prevents attackers from using the "kill-bit bypass" technique that Ryan Smith of VeriSign iDefense, and Mark Dowd and David Dewey with IBM Internet Security Systems' X-Force, will demonstrate Wednesday at Black Hat.

The additions to IE don't block all vulnerable ActiveX controls, admitted Reavey, but instead check to see whether those controls are using specific methods known to trigger the bugs; it then blocks those that are. Some of the blocking technology is turned on by default, but other pieces, including one Microsoft itself called a "heavy hammer," have been left off. Developers can opt-in to that "hammer" by adding code to their ActiveX controls.

Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users are between a rock and a hard place. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."

Microsoft also issued the IE update to give readers a secure browser, since IE itself was compiled using the vulnerable ATL, said Sarwate. "IE must [have been] compiled using vulnerable [ATL] libraries, due to which it is vulnerable to the three [vulnerabilities] in MS09-034," he said in a follow-up e-mail Tuesday. "That's how the two bulletins are related."

The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the PC World newsletter!

Error: Please check your email address.

Tags visual studioMicrosoftblack hatactivexmicrosoft patchesInternet Explorer

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Computerworld Staff

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?