Vulnerabilities / Threats
7/28/2009
02:45 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Issues Emergency Fixes For IE, Visual Studio

Outside of its normal patch cycle, Microsoft has released two security bulletins to fix critical flaws.

Microsoft on Tuesday released two out-of-band security updates to address critical software vulnerabilities in the Microsoft Active Template Library (ATL).

Vulnerabilities arising from the use of the ATL could be exploited by a remote, unauthenticated attacker to run malicious code on an affected computer.

ATL is a set of C++ classes used to create Microsoft software components such as ActiveX controls. The components may be used by Internet Explorer and may be created using Visual Studio.

That's why one bulletin, MS09-034, deals with vulnerable controls in Internet Explorer and one, MS09-035, deals with vulnerabilities in Visual Studio that allow the creation of flawed software components. Collectively, the two bulletins fix six vulnerabilities.

Microsoft has also released a security advisory to provide more information about the two bulletins and related issues.

Mike Reavey, director of the Microsoft Security Response Center, is urging all users of Visual Studio and Internet Explorer to test and deploy the updates as soon as possible.

"The release outside of Microsoft's normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority," said Amol Sarwarte, manager of the Vulnerabilities Research Lab at Qualys, in an e-mailed statement.

Users of Windows 7 and Internet Explorer 8 are not affected by the issues in MS09-034.

Christopher Budd, security program manager for the Microsoft Security Response Center, said in a blog post that the only known attack against the vulnerabilities arising from the use of the flawed ATL was resolved by a previous bulletin, MS09-032. While that patch disabled the vulnerable Microsoft Video ActiveX Control, it did not address the underlying problem in the ATL that allowed such software components to be created.

MS09-035 provides an updated copy of the ATL that developers can use without creating more vulnerable components. Budd stresses that not all controls built with vulnerable versions of the ATL will produce insecure components. "This will depend on decisions the developer made when building the control or component," he said.

Microsoft last released out-of-band security updates in October and December, 2008.

There's a big buzz surrounding Government 2.0 -- the revolution that's bringing the principles and value of the Web as a platform to the business of governing. Attend Gov 2.0 Expo Showcase and hear innovators show how this is really happening. At the Washington Convention Center, Sept. 8. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7441
Published: 2015-05-29
The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export.

CVE-2014-9727
Published: 2015-05-29
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.

CVE-2015-0200
Published: 2015-05-29
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x before 7.0.0.8 IF2 allows local users to obtain sensitive database information via unspecified vectors.

CVE-2015-0751
Published: 2015-05-29
Cisco IP Phone 7861, when firmware from Cisco Unified Communications Manager 10.3(1) is used, allows remote attackers to cause a denial of service via crafted packets, aka Bug ID CSCus81800.

CVE-2015-0752
Published: 2015-05-29
Cross-site scripting (XSS) vulnerability in Cisco TelePresence Video Communication Server (VCS) X8.5.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCut27635.

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?