Microsoft patches last major ATL bugs

Latest fixes for code library typo close 'last big attack vector,' says researcher

Microsoft yesterday wrapped up a months-long job of patching a critical bug it accidently introduced in a crucial code "library," one of the researchers who uncovered the flaw said today.

"They finally released the last patch of Microsoft products yesterday, at least the last for the big attack vectors," said Ryan Smith, the principal research scientist for the Denver-based security consultant company Accuvant. "The patches for [Microsoft] Office closed the last big attack vector for the ATL flaw."

Smith and researchers Mark Dowd and David Dewey, who work for IBM Internet Security Systems' X-Force team, uncovered the bug and first publicly demonstrated how it could be used to attack PCs using Internet Explorer (IE) last July at the Black Hat security conference. Microsoft convinced the trio to stop publicly disclosing their findings until it was able to rush users a pair of emergency updates , which it delivered the day before the Smith-Dowd-Dewey Black Hat presentation.

The same day it delivered the out-of-band updates, Microsoft also acknowledged that an extraneous "&" character in its Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software, was the root of the bug Smith, Dowd and Dewey discovered.

To fix the flaw, Microsoft was forced to patch its popular Visual Studio development platform, then urged third-party software companies to recompile any applications or code created with the buggy ATL. Microsoft also rooted through its own software for ATL-related bugs, and patched five vulnerabilities in August. At the time, security experts called the ATL-bug update, MS09-037, "awful" and "a handful."

Yesterday, as part of a record-setting security update , Microsoft patched three ATL-related bugs in its Office suite. Smith was credited with reporting two of the three vulnerabilities, while Dewey was named for the third.

"I think this is the end of it for Microsoft," said Smith today, adding that the Office ATL flaws were the only remaining vulnerabilities that he, Dowd and Dewey had uncovered last summer.

All the same, Smith said he was shocked that attackers didn't take advantage of the ATL vulnerabilities before they were patched.

"The original proof of concept was probably the easiest way at the time to exploit a Web browser, and the fact was that it could also be exploited in the same way in Office," said Smith. "So the fact that it wasn't picked up is incredibly surprising to me, considering all the different attack vectors that were available."

Secrecy was key to keeping hackers at bay. "It wasn't public knowledge that [the ATL bug] could be exploited through Office," said Smith. "We tried hard to keep that quiet."

Microsoft also issued a special "kill bit" update Tuesday to disable 15 different ActiveX controls created with the flawed ATL code. The company often sets the kill bits of vulnerable ActiveX controls as a protective measure in lieu of a patch, or as a stop-gap until a patch is available. Among the 15 ActiveX controls, all built by Microsoft for use in IE, were ones called on by its Windows Live Mail, Windows Live Messenger, MSN Photo Upload Tool and Office.

Smith said he expected that Microsoft will eventually patch some, if not all, of the disabled ActiveX controls.

Microsoft delivered the ATL patches for Office yesterday at 1 p.m. ET via its Microsoft Update and Windows Update services, as well as through the enterprise-grade Windows Server Update Services (WSUS).

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftbugsatl bugs

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?