Vulnerabilities / Threats
7/28/2009
02:45 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Issues Emergency Fixes For IE, Visual Studio

Outside of its normal patch cycle, Microsoft has released two security bulletins to fix critical flaws.

Microsoft on Tuesday released two out-of-band security updates to address critical software vulnerabilities in the Microsoft Active Template Library (ATL).

Vulnerabilities arising from the use of the ATL could be exploited by a remote, unauthenticated attacker to run malicious code on an affected computer.

ATL is a set of C++ classes used to create Microsoft software components such as ActiveX controls. The components may be used by Internet Explorer and may be created using Visual Studio.

That's why one bulletin, MS09-034, deals with vulnerable controls in Internet Explorer and one, MS09-035, deals with vulnerabilities in Visual Studio that allow the creation of flawed software components. Collectively, the two bulletins fix six vulnerabilities.

Microsoft has also released a security advisory to provide more information about the two bulletins and related issues.

Mike Reavey, director of the Microsoft Security Response Center, is urging all users of Visual Studio and Internet Explorer to test and deploy the updates as soon as possible.

"The release outside of Microsoft's normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority," said Amol Sarwarte, manager of the Vulnerabilities Research Lab at Qualys, in an e-mailed statement.

Users of Windows 7 and Internet Explorer 8 are not affected by the issues in MS09-034.

Christopher Budd, security program manager for the Microsoft Security Response Center, said in a blog post that the only known attack against the vulnerabilities arising from the use of the flawed ATL was resolved by a previous bulletin, MS09-032. While that patch disabled the vulnerable Microsoft Video ActiveX Control, it did not address the underlying problem in the ATL that allowed such software components to be created.

MS09-035 provides an updated copy of the ATL that developers can use without creating more vulnerable components. Budd stresses that not all controls built with vulnerable versions of the ATL will produce insecure components. "This will depend on decisions the developer made when building the control or component," he said.

Microsoft last released out-of-band security updates in October and December, 2008.

There's a big buzz surrounding Government 2.0 -- the revolution that's bringing the principles and value of the Web as a platform to the business of governing. Attend Gov 2.0 Expo Showcase and hear innovators show how this is really happening. At the Washington Convention Center, Sept. 8. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio