14 DAY TRIAL // The security bulletin released for Visual Studio Active Template Library is an integral part of a package of patches made available out-of-band, namely outside of the normal monthly update cycle, by Microsoft. The Microsoft Security Bulletin MS09-035 was released in conjunction with MS09-034 for Internet Explorer, and both come on top of MS09-032 a cumulative security update of ActiveX killbits released earlier this month.
With MS09-032, the software giant patched a vulnerability affecting the Microsoft Video ActiveX Control. However, independent security researchers demonstrated that the ActiveX killbits for the MSVidCtl.dll were insufficient to protect end users. Mark Dowd, Ryan Smith, David Dewey came up with an attack designed to bypass the blacklist set in place by the Redmond-based company, and essentially exploit the patched vulnerability.
“The two security updates together address separate CVEs but are being addressed out-of-band because they are related,” revealed Jonathan Ness, MSRC Engineering. “Allow me to explain: The relevant CVEs warranting the out-of-band release are included in the Visual Studio bulletin (MS09-035) CVE-2009-0901 and CVE-2009-2493 (ATL header and libraries update), and are also discussed in Security Advisory 973882. These are the vulnerabilities in the ATL that could be exposed in various controls and are currently being discussed publicly. However, we’ve also released an Internet Explorer update. This is being released to help protect customers while developers update their controls as defense-in-depth measures in Internet Explorer that help prevent exploitation of all known ATL vulnerabilities.”
Microsoft acknowledged that the combination of vulnerable components loaded by Internet Explorer, together with the security flaws in the Active Template Library, created a vector of attack that could have been exploited by attackers. However, Microsoft underlined that there were no attacks designed to exploit the vulnerabilities patched via its out-of-band security update. The software giant noted that it was aware of just a single active attack on an ATL vulnerability targeting the msvidctl.dll control, patched originally by the killbits offered through MS09-032.
“Microsoft also published Security Advisory 973882 to provide comprehensive guidance to customers regarding the issue. The advisory provides information on what steps developers can take to verify if controls and components developed using Active Template Library are vulnerable, and if so, the steps to take to rebuild and resolve the vulnerability. The advisory also includes information on specific steps customers can take to protect themselves from attacks involving vulnerable controls and components that were developed using affected versions of the Active Template Library,” stated Mike Reavey, director of the Microsoft Security Response Center.
At the same time, the software giant confirmed that the two out-of-band vulnerabilities would render useless any attempts to bypass the killbit measures set in place with MS09-032. On unpatched systems, an attacker could force MSVidCtl.dll to load in IE, and execute arbitrary code on a victim's computer, effectively taking over the machine.
“Customers who are currently up to date on their security updates are protected from known attacks related to this out-of-band release. Microsoft strongly encourages all Visual Studio and Internet Explorer customers to test and deploy these updates as soon as possible. To ensure customers are protected as quickly as possible, Microsoft is working to identify all vulnerable Microsoft-authored controls and components and will provide additional updates. The company is also working to provide guidance and information that ISVs can use to determine if their components and controls are affected and what they can do to address them,” Reavey promised.