News

Off-Cycle Patches Issued for Visual Studio and IE

• By Jabulani Leffall
• 07/30/09

Redmond released a security advisory Tuesday concerning its Active Template Library (ATL) technology, accompanied by two out-of-band application patches associated with the vulnerability.

Microsoft ranked the application patches as "moderate" for Visual Studio and "critical" for Internet Explorer. The IE patch contains "defense-in-depth" changes that are related to the Visual Studio bulletin.

Security mavens say such off-cycle security announcements are becoming more the rule than the exception. For instance, Tuesday's rollout marks the second out-of-band patch for IE in less than a year. The last one arrived in December, ahead of a massive security patch release for that month.

IE Patch
Tuesday's critical IE security update is cumulative and affects IE 5.01 and IE 6 Service Pack 1, running on supported editions of Microsoft Windows 2000. It also touches on IE 6, IE 7 and IE 8 sitting on all versions of Windows XP and Vista, as well as Windows Server 2003.

Because it's IE, IT pros should consider applying this patch.

"I'm not sure that I agree with Microsoft's labeling of the IE vulnerabilities as 'critical' and the ATL vulnerabilities as 'moderate,' but this falls back to Microsoft's habitual misuse of 'remote code execution'," said Tyler Reguly, senior security researcher with network security firm nCircle. "However, I'd still suggest patching as soon as possible. IE has such a large presence that it should not go unpatched for long."

Reguly said he questions what the release of the ATL security advisory will mean for other software vendors.

"We also have to wonder if they are now more vulnerable than they were previously," he explained.

What's unique about Microsoft's ATL patch is that it doesn't address specific risks, but just describes the likelihood of attacks. Instead of saying what the vulnerabilities are, Redmond states that holes "may be present in products built using the ATL." The patch is more preemptive in nature, experts say.

Visual Studio Patch
The Visual Studio security update touches on many Microsoft integrated development products in use: Visual Studio .NET 2003, Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005 Redistributable Package and Microsoft Visual C++ 2008 Redistributable Package.

Redmond said this patch is specifically for developers "who build and redistribute components and controls using ATL." The software giant added that developers familiar with the program should install the update and then "distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin."

The ATL flaw has allowed security fixes to be bypassed, at least in theory, according to Eric Schultze, chief technology officer at Shavlik Technologies.

"Researchers have found that some of the ATL flaws we were talking about earlier allowed them to bypass the killbit on controls that were built with the flawed templates," Schultze said. He counted 175 killbits that Microsoft has thus far released in cumulative killbit patches.

IT Ecosystem
With the Black Hat Security conference in full swing and Microsoft's pronouncement that it wants to collaborate with partners and vendors affected by this issue, the out-of-band patch release is a timely subject of discussion across the whole IT ecosystem.

"The out-of-band release significantly impacts both the MS development community and the IT community," said Don Leatham, senior director of solutions and strategy for Lumension. "Developers need to update any COM and ActiveX elements of their offerings and issue immediate updates, and IT managers should also review any commonly used Web applications in their organizations for use of ActiveX."

For its part, Microsoft said in its advisory statement that it is currently "working to provide guidance and information that ISVs [independent software vendors] can use to determine if their components and controls are affected and what they can do to address them."