Microsoft’s Patch Tuesday Fixes More ATL Holes

Patch Tuesday

Microsoft issued patches for 19 security holes in its products as part of this month’s Patch Tuesday roundup — including updates designed to lock down several persistent, high-profile vulnerabilities.

The company rated five of the release’s nine patches as “critical.”

One in particular fixes five vulnerabilities in the Active Template Library (ATL), a component instrumental in a slew of products from Microsoft (NASDAQ: MSFT) and other companies. Microsoft originally patched the flaw with a so-called “out-of-band” patch on July 28. But since then, the company identified five more vulnerabilities in the code, which are addressed by the fix.

Microsoft admitted that one of the newly discovered ATL holes is already under attack in the wild.

“That’s the patch that’s likely to get the most attention,” Don Retallack, lead analyst at Directions on Microsoft, told

That’s because the library has been used in perhaps thousands of products over the years — including those by other major companies.

“The issue is that developers have been including this flawed code in ActiveX controls for over ten years,” David Dewey, a researcher in IBM’s Internet Security Systems, said in an e-mail to

Adobe, for instance, released fixes to its own Flash and Shockwave products late last month.

“Given the breadth of affected technologies, one can only imagine the effort required to track down affected applications, recompile, test, and redistribute,” Sheldon Malm, senior director of security strategy at security firm Rapid7, said in an e-mail to “This one is just awful and Microsoft has clearly felt their customers’ pain in trying to clean this up.”

As it turns out, the flaw ultimately responsible for such widespread concern came down to a single stray keystroke, Microsoft has said.

Office Web Components, WINS patched

Other critical patches in today’s Patch Tuesday release include fixes for security holes that Microsoft identified last month in a Web publishing technology called Office Web Components, used to publish Office documents on a Web site.

The company had earlier issued a workaround for the hole, which at the time was already being exploited to carry out attacks on the Web.

Another major vulnerability addressed in Patch Tuesday involves the Windows Internet Name Service, or WINS.

The scary part: two vectors of exploit,” Malm said. “The not-so-scary part: WINS is not installed by default and probably shouldn’t be.”

Microsoft’s Security Bulletins for August and their patches are located here.

News Around the Web