Off-Cycle Patches Issued for Visual Studio and IE

Redmond released a security advisory Tuesday concerning its Active Template Library (ATL) technology, accompanied by two out-of-band application patches associated with the vulnerability.

Microsoft ranked the application patches as "moderate" for Visual Studio and "critical" for Internet Explorer. The IE patch contains "defense-in-depth" changes that are related to the Visual Studio bulletin.

Security mavens say such off-cycle security announcements are becoming more the rule than the exception. For instance, Tuesday's rollout marks the second out-of-band patch for IE in less than a year. The last one arrived in December, ahead of a massive security patch release for that month.

IE Patch
Tuesday's critical IE security update is cumulative and affects IE 5.01 and IE 6 Service Pack 1, running on supported editions of Microsoft Windows 2000. It also touches on IE 6, IE 7 and IE 8 sitting on all versions of Windows XP and Vista, as well as Windows Server 2003.

Because it's IE, IT pros should consider applying this patch.

"I'm not sure that I agree with Microsoft's labeling of the IE vulnerabilities as 'critical' and the ATL vulnerabilities as 'moderate,' but this falls back to Microsoft's habitual misuse of 'remote code execution'," said Tyler Reguly, senior security researcher with network security firm nCircle. "However, I'd still suggest patching as soon as possible. IE has such a large presence that it should not go unpatched for long."

Reguly said he questions what the release of the ATL security advisory will mean for other software vendors.

"We also have to wonder if they are now more vulnerable than they were previously," he explained.

What's unique about Microsoft's ATL patch is that it doesn't address specific risks, but just describes the likelihood of attacks. Instead of saying what the vulnerabilities are, Redmond states that holes "may be present in products built using the ATL." The patch is more preemptive in nature, experts say.

Visual Studio Patch
The Visual Studio security update touches on many Microsoft integrated development products in use: Visual Studio .NET 2003, Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005 Redistributable Package and Microsoft Visual C++ 2008 Redistributable Package.

Redmond said this patch is specifically for developers "who build and redistribute components and controls using ATL." The software giant added that developers familiar with the program should install the update and then "distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin."

The ATL flaw has allowed security fixes to be bypassed, at least in theory, according to Eric Schultze, chief technology officer at Shavlik Technologies.

"Researchers have found that some of the ATL flaws we were talking about earlier allowed them to bypass the killbit on controls that were built with the flawed templates," Schultze said. He counted 175 killbits that Microsoft has thus far released in cumulative killbit patches.

IT Ecosystem
With the Black Hat Security conference in full swing and Microsoft's pronouncement that it wants to collaborate with partners and vendors affected by this issue, the out-of-band patch release is a timely subject of discussion across the whole IT ecosystem.

"The out-of-band release significantly impacts both the MS development community and the IT community," said Don Leatham, senior director of solutions and strategy for Lumension. "Developers need to update any COM and ActiveX elements of their offerings and issue immediate updates, and IT managers should also review any commonly used Web applications in their organizations for use of ActiveX."

For its part, Microsoft said in its advisory statement that it is currently "working to provide guidance and information that ISVs [independent software vendors] can use to determine if their components and controls are affected and what they can do to address them."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • person signing a bill at a desk with a faint glow around the document. A tablet and laptop are subtly visible in the background, with soft colors and minimal digital elements

    California Governor Signs AI Content Safeguards into Law

    California Governor Gavin Newsom has officially signed off on a series of landmark artificial intelligence bills, signaling the state’s latest efforts to regulate the burgeoning technology, particularly in response to the misuse of sexually explicit deepfakes. The legislation is aimed at mitigating the risks posed by AI-generated content, as concerns grow over the technology's potential to manipulate images, videos, and voices in ways that could cause significant harm.

  • close-up illustration of a hand signing a legislative document

    California Passes AI Safety Legislation, Awaits Governor's Signature

    California lawmakers have overwhelmingly approved a bill that would impose new restrictions on AI technologies, potentially setting a national precedent for regulating the rapidly evolving field. The legislation, known as S.B. 1047, now heads to Governor Gavin Newsom's desk. He has until the end of September to decide whether to sign it into law.

  • illustration of a VPN network with interconnected nodes and lines forming a minimalist network structure

    Report: Increasing Number of Vulnerabilities in OpenVPN

    OpenVPN, a popular open source virtual private network (VPN) system integrated into millions of routers, firmware, PCs, mobile devices and other smart devices, is leaving users open to a growing list of threats, according to a new report from Microsoft.

  • interconnected cubes and circles arranged in a grid-like structure

    Hugging Face Gradio 5 Offers AI-Powered App Creation and Enhanced Security

    Hugging Face has released version 5 of its Gradio open source platform for building machine learning (ML) applications. The update introduces a suite of features focused on expanding access to AI, including a novel AI-powered app creation tool, enhanced web development capabilities, and bolstered security measures.