Woody Leonhard’s no-bull news, tips and help for Windows and Office
RSS icon Email icon Home icon

  • Another out-of-band Internet Explorer patch

    Posted on July 26th, 2009 at 04:53 woody 6 comments

    Microsoft just announced that it has two out-of-band patches coming this Tuesday.

    One of them is for Internet Explorer 6, 7 and 8. The security hole is described in depth by Halvar Flake. Basically, there’s a hole a mile wide in the Windows Active Template Library, a library of functions that were developed for ActiveX. Apparently even simple VBScript programs can get at the hole. And since it’s in a freely distributable library, you may have received the buggy programs as part of a third party application.

    Microsoft’s description of the bug says that it affects IE in Windows 2000, XP, Vista, Server 2003 and some versions of Server 2008. It doesn’t say squat about Windows 7.

    The second hole is in Visual Studio, and apparently it’s directly related to this hole in IE.

    The irony of it all is that this month’s Black Tuesday IE patch, MS09-032, was supposed to fix this hole, but it doesn’t. And it took Microsoft about a year to issue the fix in MS09-032. At least that’s what Halvar and cohorts say. I’m still stumbling on the fact that MS09-032 was supposed to be a killbit rollup: Microsoft’s docs don’t say anything about fixing a year-old security hole in the ATL.

    Why is this being distributed as an out-of-band patch? Microsoft says there are no currently known exploits. And it looks like it took them a year to fix the original problem. Perhaps the spinmeisters want to minimize embarrassment at next week’s Black Hat conference in Las Vegas…

    Windows Patches/Security
     

    6 responses to “Another out-of-band Internet Explorer patch”

    1. Merdiwen July 28th, 2009 at 05:15

      Does this hole affect me on windows XP even if I never use IE?

    2. Yuhong Bao July 28th, 2009 at 06:04

      “Why is this being distributed as an out-of-band patch? Microsoft says there are no currently known exploits.”
      Because this ATL security hole is the source of the recent MS Video ActiveX control security hole. And so the exploit for the recent MS Video ActiveX control security hole basically is an exploit for the ATL security hole. Get it now?

      Also, I’d generally recommend that your readers read the advisory and update any old ActiveX controls killed by the kill-bit patch to prevent them from being broken.

    3. Yuhong Bao July 29th, 2009 at 00:54

      “Because this ATL security hole is the source of the recent MS Video ActiveX control security hole. And so the exploit for the recent MS Video ActiveX control security hole basically is an exploit for the ATL security hole. Get it now?”
      Actually that isn’t exactly true, see this article:
      http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

    4. rc primak July 30th, 2009 at 05:01

      If you read the SANS Report on this vulnerability, it turns out that the ATL flaw is much deeper. One News Report at Infoworld.com attributes the whole mess to an Active X Control which had a typo involving one extra “&” in the code. This means that a wide range of Microsoft and non-Microsoft software may be affected. Microsoft is still assessing the extent of the vulnerabilities. It is not limited to IE, nor even to Windows and other Microsoft products.

      I expect to see a lot of patches from quite a few vendors in the next few weeks to patch this flaw. Anyway, that’s my impression as an IT non-professional.

    5. EP July 31st, 2009 at 22:11

      Users should also patch Adobe Flash Player for IE and Firefox as mentioned on this Adobe security advisory:
      http://www.adobe.com/support/security/advisories/apsa09-04.html

      This Adobe security bulletin also mentions installing the MS09-034 patch for Internet Explorer. So patching IE is only half the battle won. Patching Adobe Flash Player completes the other half.

    6. woody August 1st, 2009 at 06:40

      Quite true – and the Flash update should be offered the next time you use Flash.

      As always, I recommend people use a third-party scanner and update tool like Secunia PSI.

    Leave a reply

Search

Ads by Google

Windows and MS Office books by Woody Leonhard

Support AskWoody.com
Click on this list to get Woody ’s books at Amazon.com



More Ads by Google

 

February 2012
M T W T F S S
« Jan    
 12345
6789101112
13141516171819
20212223242526
272829  
Powered by WordPress
Theme designed by My Mobiles, modifications by PapayaSoft