Microsoft today made good on plans to release patches aimed at heading off potentially nasty attacks against Internet Explorer (IE) plug-ins and other programs constructed using a technology called the Active Template Library, or ATL.
Additionally, the patches are designed to fix problems that go beyond the software titan, potentially impacting third-party developers who have used the company’s Visual Studio development environment.
Microsoft (NASDAQ: MSFT) announced Friday it would release two “out-of-band” patches to block the potential of attacks.
It’s not coincidence that the release comes the same week as the Black Hat security conference in Las Vegas, however. The release is in response to a session at the conference that will reveal the ATL problems, a Microsoft spokesperson confirmed.
The software titan only rarely releases an out-of-band patch — so-called because the patch is considered so critical as to warrant releasing it in between the company’s regular “Patch Tuesday” drops. For consistency, Microsoft delivers new bug patches once a month on the second Tuesday. Therefore, the next Patch Tuesday is two weeks from now on Aug. 11 — a particularly long wait if a conference full of hackers is ready to swing into action.
That timing has security watchers likewise urging their customers to hop on the latest updates.
“Shavlik recommends installing the IE patch as soon as possible as it helps protect against a flaw being demonstrated at Black Hat tomorrow … that might allow an attacker to bypass the killbits that were set to protect a machine against unsafe ActiveX controls,” Eric Schultze, CTO of security vendor Shavlik Technologies, said in an e-mailed statement.
“Failing to patch for this issue is like purposely uninstalling eight prior IE patches — not something you want to do. Patch this one right away,” Schultze added.
So far, there have been no active attacks on the vulnerabilities in the wild, according to Microsoft security bulletins. In a way, the two patches may be something of a relief for admins in that they’re coming in response to attacks that have already started — a so-called zero-day
Visual Studio developers face complex task
Tuesday’s out-of-band patches fix vulnerabilities that Microsoft describes as critical, located in parts of IE that use the ATL.
All supported versions of IE are affected, from IE 5.01 on Windows 2000 Service Pack 4 (SP4) through IE6 and IE7, and including IE8. IE can be running on Windows XP SP2 and SP3, as well as Windows Vista. However, IE8 on Windows 7, which was released to manufacturing last week, is not affected. A successful exploit could completely compromise a user’s PC.
The patches also tackles flaws listed as “moderate,” located at the source of the problem in Visual Studio. Vulnerable plug-ins and other programs are built with Visual Studio, which uses the ATL.
Even though the patches for Visual Studio are ranked as moderate, instead of critical, it doesn’t mean that patching the programming environment itself isn’t important.
The scope of the problem goes far beyond just Microsoft because not only is ATL ten or more years old, but also “thousands and thousands” of programs have been written that use the code, Amol Sarwate, vulnerabilities research manager at security vendor Qualys, told InternetNews.com.
“The IE issue will be fixed today, but the Visual Studio problem won’t really be fixed for a long time,” Sarwate added.
Many IE controls as well as other programs have been written over the years by third-party developers using ATL. Those must now be recompiled, then redistributed to developers’ customers, and finally installed by users — a complex and time-consuming process.
In addition to fixing an ATL hole in IE, the browser patch also fixes two other privately reported security bugs — also rated “critical” — that have not yet been exploited, the company said.
Microsoft has released separate Security Bulletins for the IE8 bugs and the Visual Studio bugs that include links to the patches.