Microsoft rushes patches to fix 'big deal' programming flaw

Developers who used the buggy code 'library' must redo software, update customers

As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.

Microsoft has been working on the Visual Studio bugs, and coordinating with third-party developers who may have crafted vulnerable software using Visual Studio, since early 2008.

As some had speculated, Microsoft rushed the patches to users this week to preempt a presentation slated for tomorrow at Black Hat by several security researchers. They plan to demonstrate a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure.

"We put this out-of-cycle because we have seen at least one attack using an ATL vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said in an interview today. "And there was more speculation and more details being released before Black Hat. We had the patches ready for broad release, so we decided to release them today."

Without the pressure from Black Hat, Microsoft would have waited until Aug. 11, when the company will release its next regularly-scheduled security update.

The two emergency updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE, added new defensive technology to the browser and patched three "moderate" bugs in Visual Studio.

But in an unusual reversal, Microsoft hinted -- and some researchers agreed -- that the moderate bugs may actually pose the more serious long-term threat. That's because the Visual Studio vulnerabilities are in a code "library," dubbed Active Template Library (ATL), that Microsoft and an unknown number of third-party developers used to create their own ActiveX controls and application components.

"ATL is a C++ library, and one that's pretty commonly used by developers," said Amol Sarwate, the manager of Qualys' vulnerability research lab.

"This will be one of those where users are vulnerable from hackers much longer than the usual," added John Pescatore, an analyst with Gartner. "This is a big deal. Microsoft may be fixing the underlying problem in ATL, and pushing out this shielding thing that will protect users of IE, but there's no way of knowing how many applications or controls have this flaw baked into them."

"This is a complex issue, providing a comprehensive response to a library vulnerability," Reavey acknowledged. "Library issues are hard to deal with, and take a lot of collaboration to resolve them." That's because a library flaw affects not just the development platform -- in this case Visual Studio -- but can also creep into the resulting code written with that platform.

Reavey admitted that it was difficult to tell how many developers had used the buggy ATL, and thus, how many vulnerable pieces of code are in circulation. In fact, Microsoft has not yet finished examining its own code for flaws. "We're still investigating," he said when asked whether Microsoft had found bugs in software such as Windows Media Player, which some researchers have pegged as including the vulnerable ATL code.

Microsoft urged developers to look at their software, and if necessary, recompile it with the patched ATL. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," said Microsoft in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.

The company will continue to work with third-party software makers to help them uncover bad ATL code, Reavey said, but he declined to name vendors that may be close to re-releasing patched ActiveX controls or applications.

To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey. He also confirmed that the IE update prevents attackers from using the "kill-bit bypass" technique that Ryan Smith of VeriSign iDefense, and Mark Dowd and David Dewey with IBM Internet Security Systems' X-Force, will demonstrate Wednesday at Black Hat.

The additions to IE don't block all vulnerable ActiveX controls, admitted Reavey, but instead check to see whether those controls are using specific methods known to trigger the bugs; it then blocks those that are. Some of the blocking technology is turned on by default, but other pieces, including one Microsoft itself called a "heavy hammer," have been left off. Developers can opt-in to that "hammer" by adding code to their ActiveX controls.

Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users are between a rock and a hard place. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."

Microsoft also issued the IE update to give readers a secure browser, since IE itself was compiled using the vulnerable ATL, said Sarwate. "IE must [have been] compiled using vulnerable [ATL] libraries, due to which it is vulnerable to the three [vulnerabilities] in MS09-034," he said in a follow-up e-mail Tuesday. "That's how the two bulletins are related."

The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftInternet Exploreractivexmicrosoft patchesvisual studioblack hat

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Computerworld Staff

Computerworld Staff

Show Comments

Brand Post

PC World Evaluation Team Review - MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?