Researcher: Microsoft may launch 'month of ATL' patches on Tuesday

Advance notice offers clues Microsoft will update software hit by deep dev bug

Microsoft today said it would deliver nine security updates next Tuesday, all but one affecting Windows. Five are pegged "critical," the company's highest threat rating.

One researcher speculated that most of the updates will tackle bugs introduced when a Microsoft programmer added an extra "&" character to a vital code library.

Of the nine updates previewed today in the monthly advance notification, eight affect various versions of Windows, while the ninth deals with vulnerabilities in Office, Visual Studio, Internet Security and Acceleration Server (ISA Server), BizTalk Server and other products.

One of the eight Windows updates also affects what the bulletin dubbed "Client for Mac," and which Microsoft later confirmed refers to Remote Desktop Connection Client for Mac, software that lets Mac users connect to Windows-based machines.

In addition to the five critical updates, four are marked "important," the next rating down in the company's four-step scoring system.

"It won't be a go-take-a-nap month," said Andrew Storms, director of security operations at nCircle Network Security. "The good thing is that we're not looking at a lot [of vulnerabilities] in the public domain, so that should give everyone some time, a week or two at least, to test the updates before they deploy them."

One of the nine bulletins, however, appears to address the only unsolved issue Microsoft has publicly acknowledged: one or more flaws in its Microsoft Office Web Components (OWC). "The outstanding bug we know [exists] they disclosed July 13," Storms said. "And Bulletin 1 today is the only one that affects the Office Web Components. I'd say that Microsoft's on track to patch that this month."

Last month, Microsoft issued a security advisory related to OWC, saying that hackers were already exploiting an unpatched, critical vulnerability in a company-made ActiveX control, putting people running Internet Explorer (IE) at risk. The flawed ActiveX control is used by IE to display Excel spreadsheets in the browser.

Microsoft's advisory went out the day before its regularly-scheduled July batch of security updates; most analysts had not expected to see a fix make the July slate.

Storms' bet that Bulletin 1 will patch the problem seems safe. At the time it issued the advisory, Microsoft warned that users running Office XP, Office 2003, ISA 2004, ISA 2006 and Office Small Business Accounting 2006 were vulnerable to attack through IE. Today, Microsoft called out all those programs, as well as several others, as affected by the expected update.

It's also possible that several of the bulletins outlined today will update Microsoft software that previously contained flaws inherited from a buggy code library, said Storms.

Today's Bulletin 5 looks like the most likely candidate, he said. That bulletin will patch Outlook Express, an entry-level e-mail client Microsoft used to bundle with Windows, as well as update the two newest versions of Windows Media Player. "They could be patching applications that linked to the old library," said Storms, talking about Active Template Library, or ATL. "I wouldn't be surprised if this goes on for a number of months as they go back and check their software."

Just over a week ago, Microsoft rushed a pair of emergency updates to users that plugged multiple holes in IE and Visual Studio. Those vulnerabilities were traced to ATL, a library used by Microsoft and an unknown number of third-party developers to create ActiveX controls and application components. Adobe, for instance, admitted its Flash Player and Shockwave Player were developed using the buggy ATL, and updated both applications late last week after recompiling them with a patched ATL.

Another clue about a connection between Bulletin 5 and ATL comes from a pair of German security researchers, who in early July claimed that several pieces of Microsoft-made software, including Windows Media Player, had used ATL.

The mention of Remote Desktop Connection Client for Mac in Bulletin 2, also hints at an ATL fix. "Client and server side of that equation," said Storms in an instant message follow-up. "Hmm...and remote code [executable], too. It sounds like it's related to the entire Remote Desktop Services."

Remote Desktop Services, which is present on both client and server versions of Windows, is used to access applications and data on a remote system over a network. It was formerly called Terminal Services, which was another Windows component fingered as containing the flawed ATL code by the German researchers.

"I wonder if we aren't looking at an entire month of ATL fixes," said Storms. "One thing I noticed at Black Hat [was that] I didn't see any MSRC [Microsoft Security Response Center] people at the Dowd et al talk when they talked about this [ATL] bug," he added, referring to the Las Vegas security conference that wrapped up a week ago, and a presentation by Mark Dowd, Ryan Smith and David Dewey. "[That] would lead one to believe that [Microsoft had] already worked the issue internally [and that] it was behind them."

But it's impossible to tell the specific components within Windows that Microsoft will patch, and thus what risk users face, until next Tuesday, Storms argued. "It looks like they'll be patching core parts of the operating system," he said. "Sometimes that's a little more worrisome than when Microsoft patches a single application, like IE, because if there's a problem with the patch, the entire OS could go down into a Blue Screen of Death."

Microsoft will release the nine updates at approximately 1 p.m. USET on Aug. 11.

Join the PC World newsletter!

Error: Please check your email address.

Tags security patchMicrosoftWindows

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?