[Infowarrior] - Microsoft's Emergency Patch Mess

Richard Forno rforno at infowarrior.org
Wed Jul 29 11:33:49 UTC 2009 

Microsoft's Emergency Patch Mess

http://voices.washingtonpost.com/securityfix/2009/07/microsofts_emergency_patch_mes.html?hpid=sec-tech
Microsoft today released a pair of emergency software updates (Redmond  
calls them "out-of-band" updates). Yes, that's right folks: If you use  
Windows -- and especially if you browse the Web with Internet Exploder  
Explorer - it's once again time to update.

The backstory to these patches is a bit complex, so here's the short  
version: A while back, Microsoft introduced several security flaws  
into a set of widely-used third-party software development tools, and  
today it's correcting that error by issuing an updated set of tools.  
Another update tries to block attackers from exploiting those  
weaknesses while third-party software makers figure out how to fix  
their code with the updated tools.

On a scale of 1 to 10, with 10 being the most dire and far-reaching,  
Eric Schultze, chief technology officer at Shavlik Technologies, said  
he'd put the seriousness of today's out-of-band patch releases at an 8.

"When I was at Microsoft, there were a couple of issues that we  
referred to as 'Voldemort,' meaning they were so nasty you didn't even  
want to speak their names, and this one is kind of like 'Son of  
Voldemort,'" Schultze said. "You really start to lose confidence in  
Microsoft's security mechanisms when something like this happens."

At issue is a faulty software development "template" or code library  
that Microsoft makes available to other software makers. This flawed  
template, known as an active template library or ATL, was shipped as  
part of Microsoft Visual Studio, a Web application development  
platform. This ATL helps developers create ActiveX controls, powerful  
components of Windows and Internet Explorer that were designed to  
allow Web sites to develop interactive, multimedia-rich pages.

The problem is that having a flaw in this software development  
template means that potentially all of the ActiveX controls crafted  
with that template may also be flawed.

A good example of a buggy ActiveX control produced by this flawed  
template came to light last month, when Microsoft warned that  
attackers were exploiting a flawed Video ActiveX control to break into  
Windows systems when users visited booby-trapped Web sites with IE. To  
blunt the threat from that vulnerability, Microsoft simply disabled  
that flawed Video ActiveX control in Windows, so that it could no  
longer be invoked by Web pages.

Or so Redmond thought. Turns out, disabling faulty controls isn't as  
effective as fixing them, as several security researchers presenting  
Wednesday at the Black Hat hacker conference in Las Vegas will show.  
Researchers Ryan Smith and David Dewey from Verisign iDefense, and  
Mark Dowd from IBM's X-Force team, will demonstrate how attackers can  
still exploit these buggy ActiveX controls, even after they have been  
disabled in Windows. The researchers have provided a teaser video of  
what they will present at Black Hat, at this link here.

In response to this threat, one of the patches Microsoft shipped today  
includes a fix for the flawed code library in Visual Studio that the  
company is urging developers to use to fix any ActiveX controls that  
may have been developed with the earlier version. The other patch  
pushed out today updates Internet Explorer so that it looks for and  
blocks any attempts to load ActiveX controls developed with the faulty  
code library.

"The reason we've released these out of cycle is that we were aware of  
attacks on [the Video ActiveX control] that were using the  
vulnerability in ATL, and we saw that more details about the issue  
were being disclosed, increasing the risk to customers," said Mike  
Reavey, director of the Microsoft Security Response Center. We decided  
to issue these updates now rather than wait for things to get worse."

Reavey declined to say just how many third party ActiveX controls or  
developers may need to revamp their code to fix this bug, but he said  
Microsoft has been reaching out to the most affected parties with  
guidance on how best to fix the problem. "That collaboration has been  
underway for a while," he said. "I don't want to go into specifics of  
who we've reported to or what status of that investigation is."

The company is urging developers who may be affected to check their  
ActiveX controls at Verizon's free ActiveX Control Testing site.

If you use Windows but browse the Web with a non-IE browser, you  
probably still want to apply this emergency Internet Explorer patch,  
for two reasons.

"Because IE is so tightly integrated with the operating system,  
there's a chance you could click on something in one application that  
would open something in IE, so it's best to be on the safe side,"  
Shavlik's Schultze said.

Also, the IE update includes fixes for three unrelated, critical  
vulnerabilities that hackers could exploit to install malicious code  
on your system just by tricking you into visiting a hacked or  
specially crafted evil Web site (with IE, of course, but then again,  
see warning No. 1).

More information about the Infowarrior mailing list