Microsoft patches last major ATL bugs

Latest fixes for code library typo close 'last big attack vector,' says researcher

Microsoft yesterday wrapped up a months-long job of patching a critical bug it accidently introduced in a crucial code "library," one of the researchers who uncovered the flaw said today.

"They finally released the last patch of Microsoft products yesterday, at least the last for the big attack vectors," said Ryan Smith, the principal research scientist for the Denver-based security consultant company Accuvant. "The patches for [Microsoft] Office closed the last big attack vector for the ATL flaw."

Smith and researchers Mark Dowd and David Dewey, who work for IBM Internet Security Systems' X-Force team, uncovered the bug and first publicly demonstrated how it could be used to attack PCs using Internet Explorer (IE) last July at the Black Hat security conference. Microsoft convinced the trio to stop publicly disclosing their findings until it was able to rush users a pair of emergency updates , which it delivered the day before the Smith-Dowd-Dewey Black Hat presentation.

The same day it delivered the out-of-band updates, Microsoft also acknowledged that an extraneous "&" character in its Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software, was the root of the bug Smith, Dowd and Dewey discovered.

To fix the flaw, Microsoft was forced to patch its popular Visual Studio development platform, then urged third-party software companies to recompile any applications or code created with the buggy ATL. Microsoft also rooted through its own software for ATL-related bugs, and patched five vulnerabilities in August. At the time, security experts called the ATL-bug update, MS09-037, "awful" and "a handful."

Yesterday, as part of a record-setting security update , Microsoft patched three ATL-related bugs in its Office suite. Smith was credited with reporting two of the three vulnerabilities, while Dewey was named for the third.

"I think this is the end of it for Microsoft," said Smith today, adding that the Office ATL flaws were the only remaining vulnerabilities that he, Dowd and Dewey had uncovered last summer.

All the same, Smith said he was shocked that attackers didn't take advantage of the ATL vulnerabilities before they were patched.

"The original proof of concept was probably the easiest way at the time to exploit a Web browser, and the fact was that it could also be exploited in the same way in Office," said Smith. "So the fact that it wasn't picked up is incredibly surprising to me, considering all the different attack vectors that were available."

Secrecy was key to keeping hackers at bay. "It wasn't public knowledge that [the ATL bug] could be exploited through Office," said Smith. "We tried hard to keep that quiet."

Microsoft also issued a special "kill bit" update Tuesday to disable 15 different ActiveX controls created with the flawed ATL code. The company often sets the kill bits of vulnerable ActiveX controls as a protective measure in lieu of a patch, or as a stop-gap until a patch is available. Among the 15 ActiveX controls, all built by Microsoft for use in IE, were ones called on by its Windows Live Mail, Windows Live Messenger, MSN Photo Upload Tool and Office.

Smith said he expected that Microsoft will eventually patch some, if not all, of the disabled ActiveX controls.

Microsoft delivered the ATL patches for Office yesterday at 1 p.m. ET via its Microsoft Update and Windows Update services, as well as through the enterprise-grade Windows Server Update Services (WSUS).

Join the PC World newsletter!

Error: Please check your email address.

Tags Microsoftbugsatl bugs

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?