Vulnerabilities / Threats
7/28/2009
02:45 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Issues Emergency Fixes For IE, Visual Studio

Outside of its normal patch cycle, Microsoft has released two security bulletins to fix critical flaws.

Microsoft on Tuesday released two out-of-band security updates to address critical software vulnerabilities in the Microsoft Active Template Library (ATL).

Vulnerabilities arising from the use of the ATL could be exploited by a remote, unauthenticated attacker to run malicious code on an affected computer.

ATL is a set of C++ classes used to create Microsoft software components such as ActiveX controls. The components may be used by Internet Explorer and may be created using Visual Studio.

That's why one bulletin, MS09-034, deals with vulnerable controls in Internet Explorer and one, MS09-035, deals with vulnerabilities in Visual Studio that allow the creation of flawed software components. Collectively, the two bulletins fix six vulnerabilities.

Microsoft has also released a security advisory to provide more information about the two bulletins and related issues.

Mike Reavey, director of the Microsoft Security Response Center, is urging all users of Visual Studio and Internet Explorer to test and deploy the updates as soon as possible.

"The release outside of Microsoft's normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority," said Amol Sarwarte, manager of the Vulnerabilities Research Lab at Qualys, in an e-mailed statement.

Users of Windows 7 and Internet Explorer 8 are not affected by the issues in MS09-034.

Christopher Budd, security program manager for the Microsoft Security Response Center, said in a blog post that the only known attack against the vulnerabilities arising from the use of the flawed ATL was resolved by a previous bulletin, MS09-032. While that patch disabled the vulnerable Microsoft Video ActiveX Control, it did not address the underlying problem in the ATL that allowed such software components to be created.

MS09-035 provides an updated copy of the ATL that developers can use without creating more vulnerable components. Budd stresses that not all controls built with vulnerable versions of the ATL will produce insecure components. "This will depend on decisions the developer made when building the control or component," he said.

Microsoft last released out-of-band security updates in October and December, 2008.

There's a big buzz surrounding Government 2.0 -- the revolution that's bringing the principles and value of the Web as a platform to the business of governing. Attend Gov 2.0 Expo Showcase and hear innovators show how this is really happening. At the Washington Convention Center, Sept. 8. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!