Vulnerabilities / Threats
7/28/2009
02:45 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Issues Emergency Fixes For IE, Visual Studio

Outside of its normal patch cycle, Microsoft has released two security bulletins to fix critical flaws.

Microsoft on Tuesday released two out-of-band security updates to address critical software vulnerabilities in the Microsoft Active Template Library (ATL).

Vulnerabilities arising from the use of the ATL could be exploited by a remote, unauthenticated attacker to run malicious code on an affected computer.

ATL is a set of C++ classes used to create Microsoft software components such as ActiveX controls. The components may be used by Internet Explorer and may be created using Visual Studio.

That's why one bulletin, MS09-034, deals with vulnerable controls in Internet Explorer and one, MS09-035, deals with vulnerabilities in Visual Studio that allow the creation of flawed software components. Collectively, the two bulletins fix six vulnerabilities.

Microsoft has also released a security advisory to provide more information about the two bulletins and related issues.

Mike Reavey, director of the Microsoft Security Response Center, is urging all users of Visual Studio and Internet Explorer to test and deploy the updates as soon as possible.

"The release outside of Microsoft's normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority," said Amol Sarwarte, manager of the Vulnerabilities Research Lab at Qualys, in an e-mailed statement.

Users of Windows 7 and Internet Explorer 8 are not affected by the issues in MS09-034.

Christopher Budd, security program manager for the Microsoft Security Response Center, said in a blog post that the only known attack against the vulnerabilities arising from the use of the flawed ATL was resolved by a previous bulletin, MS09-032. While that patch disabled the vulnerable Microsoft Video ActiveX Control, it did not address the underlying problem in the ATL that allowed such software components to be created.

MS09-035 provides an updated copy of the ATL that developers can use without creating more vulnerable components. Budd stresses that not all controls built with vulnerable versions of the ATL will produce insecure components. "This will depend on decisions the developer made when building the control or component," he said.

Microsoft last released out-of-band security updates in October and December, 2008.

There's a big buzz surrounding Government 2.0 -- the revolution that's bringing the principles and value of the Web as a platform to the business of governing. Attend Gov 2.0 Expo Showcase and hear innovators show how this is really happening. At the Washington Convention Center, Sept. 8. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0547
Published: 2015-07-04
The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0548
Published: 2015-07-04
The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0551
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P2...

CVE-2015-1966
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafte...

CVE-2015-2964
Published: 2015-07-04
NAMSHI | JOSE 5.0.0 and earlier allows remote attackers to bypass signature verification via crafted tokens in a JSON Web Tokens (JWT) header.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report