Microsoft made an out-of-band security update for Internet Explorer on July 28th, 2009. The move, which is an exception to the Redmond company's monthly patch cycle, is designed to bulletproof IE users against potential attacks designed to exploit vulnerabilities in Microsoft Active Template Library (ATL). Microsoft underlined the fact that no release of Internet Explorer was vulnerable to the security flaws in ATL, but that IE was in itself a potential vector for attacks. Essentially, Microsoft Security Bulletin MS09-034 rated Critical, Cumulative Security Update for Internet Explorer (972260) is designed to mitigate known attack paths impacting IE, in scenarios involving attacks targeting vulnerable components and controls that integrate the ATL security holes.

“The update includes two defense-in-depth protections against known techniques that are able to bypass ActiveX Security Policy when ActiveX controls have been created using certain Active Template Library (ATL) methods in specific configurations. The first defense-in-depth is enabled by default and modifies how ATL-based controls read persisted data. The second defense-in-depth is disabled by default and offers the ability to regulate usage of the IPersistStream and IPersistStorage interface implementations within individual controls,” explained Terry McCoy, program manager, Internet Explorer Security.

Still, while providing protection against ATL exploits, the out-of-cycle security update is in fact designed to patch no less than three vulnerabilities: Uninitialized Memory Corruption Vulnerability - CVE-2009-1919, HTML Objects Memory Corruption Vulnerability - CVE-2009-1918, and Memory Corruption Vulnerability – CVE-2009-1917. The patches are already being distributed via Windows Update. Internet Explorer 8 in Windows 7 and Windows Server 2008 R2 is also affected.

“This security update is rated Critical for all released versions of Internet Explorer except Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003 and Windows Server 2008,” McCoy added. “I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.”