Microsoft patches last major ATL bugs

Latest fixes for code library typo close 'last big attack vector,' says researcher

Microsoft yesterday wrapped up a months-long job of patching a critical bug it accidently introduced in a crucial code "library," one of the researchers who uncovered the flaw said today.

"They finally released the last patch of Microsoft products yesterday, at least the last for the big attack vectors," said Ryan Smith, the principal research scientist for the Denver-based security consultant company Accuvant. "The patches for [Microsoft] Office closed the last big attack vector for the ATL flaw."

Smith and researchers Mark Dowd and David Dewey, who work for IBM Internet Security Systems' X-Force team, uncovered the bug and first publicly demonstrated how it could be used to attack PCs using Internet Explorer (IE) last July at the Black Hat security conference. Microsoft convinced the trio to stop publicly disclosing their findings until it was able to rush users a pair of emergency updates , which it delivered the day before the Smith-Dowd-Dewey Black Hat presentation.

The same day it delivered the out-of-band updates, Microsoft also acknowledged that an extraneous "&" character in its Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software, was the root of the bug Smith, Dowd and Dewey discovered.

To fix the flaw, Microsoft was forced to patch its popular Visual Studio development platform, then urged third-party software companies to recompile any applications or code created with the buggy ATL. Microsoft also rooted through its own software for ATL-related bugs, and patched five vulnerabilities in August. At the time, security experts called the ATL-bug update, MS09-037, "awful" and "a handful."

Yesterday, as part of a record-setting security update , Microsoft patched three ATL-related bugs in its Office suite. Smith was credited with reporting two of the three vulnerabilities, while Dewey was named for the third.

"I think this is the end of it for Microsoft," said Smith today, adding that the Office ATL flaws were the only remaining vulnerabilities that he, Dowd and Dewey had uncovered last summer.

All the same, Smith said he was shocked that attackers didn't take advantage of the ATL vulnerabilities before they were patched.

"The original proof of concept was probably the easiest way at the time to exploit a Web browser, and the fact was that it could also be exploited in the same way in Office," said Smith. "So the fact that it wasn't picked up is incredibly surprising to me, considering all the different attack vectors that were available."

Secrecy was key to keeping hackers at bay. "It wasn't public knowledge that [the ATL bug] could be exploited through Office," said Smith. "We tried hard to keep that quiet."

Microsoft also issued a special "kill bit" update Tuesday to disable 15 different ActiveX controls created with the flawed ATL code. The company often sets the kill bits of vulnerable ActiveX controls as a protective measure in lieu of a patch, or as a stop-gap until a patch is available. Among the 15 ActiveX controls, all built by Microsoft for use in IE, were ones called on by its Windows Live Mail, Windows Live Messenger, MSN Photo Upload Tool and Office.

Smith said he expected that Microsoft will eventually patch some, if not all, of the disabled ActiveX controls.

Microsoft delivered the ATL patches for Office yesterday at 1 p.m. ET via its Microsoft Update and Windows Update services, as well as through the enterprise-grade Windows Server Update Services (WSUS).

Tags Microsoftbugsatl bugs

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?