Off-Cycle Patches Issued for Visual Studio and IE

Redmond released a security advisory Tuesday concerning its Active Template Library (ATL) technology, accompanied by two out-of-band application patches associated with the vulnerability.

Microsoft ranked the application patches as "moderate" for Visual Studio and "critical" for Internet Explorer. The IE patch contains "defense-in-depth" changes that are related to the Visual Studio bulletin.

Security mavens say such off-cycle security announcements are becoming more the rule than the exception. For instance, Tuesday's rollout marks the second out-of-band patch for IE in less than a year. The last one arrived in December, ahead of a massive security patch release for that month.

IE Patch
Tuesday's critical IE security update is cumulative and affects IE 5.01 and IE 6 Service Pack 1, running on supported editions of Microsoft Windows 2000. It also touches on IE 6, IE 7 and IE 8 sitting on all versions of Windows XP and Vista, as well as Windows Server 2003.

Because it's IE, IT pros should consider applying this patch.

"I'm not sure that I agree with Microsoft's labeling of the IE vulnerabilities as 'critical' and the ATL vulnerabilities as 'moderate,' but this falls back to Microsoft's habitual misuse of 'remote code execution'," said Tyler Reguly, senior security researcher with network security firm nCircle. "However, I'd still suggest patching as soon as possible. IE has such a large presence that it should not go unpatched for long."

Reguly said he questions what the release of the ATL security advisory will mean for other software vendors.

"We also have to wonder if they are now more vulnerable than they were previously," he explained.

What's unique about Microsoft's ATL patch is that it doesn't address specific risks, but just describes the likelihood of attacks. Instead of saying what the vulnerabilities are, Redmond states that holes "may be present in products built using the ATL." The patch is more preemptive in nature, experts say.

Visual Studio Patch
The Visual Studio security update touches on many Microsoft integrated development products in use: Visual Studio .NET 2003, Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005 Redistributable Package and Microsoft Visual C++ 2008 Redistributable Package.

Redmond said this patch is specifically for developers "who build and redistribute components and controls using ATL." The software giant added that developers familiar with the program should install the update and then "distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin."

The ATL flaw has allowed security fixes to be bypassed, at least in theory, according to Eric Schultze, chief technology officer at Shavlik Technologies.

"Researchers have found that some of the ATL flaws we were talking about earlier allowed them to bypass the killbit on controls that were built with the flawed templates," Schultze said. He counted 175 killbits that Microsoft has thus far released in cumulative killbit patches.

IT Ecosystem
With the Black Hat Security conference in full swing and Microsoft's pronouncement that it wants to collaborate with partners and vendors affected by this issue, the out-of-band patch release is a timely subject of discussion across the whole IT ecosystem.

"The out-of-band release significantly impacts both the MS development community and the IT community," said Don Leatham, senior director of solutions and strategy for Lumension. "Developers need to update any COM and ActiveX elements of their offerings and issue immediate updates, and IT managers should also review any commonly used Web applications in their organizations for use of ActiveX."

For its part, Microsoft said in its advisory statement that it is currently "working to provide guidance and information that ISVs [independent software vendors] can use to determine if their components and controls are affected and what they can do to address them."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • MathGPT

    MathGPT AI Tutor Now Out of Beta

    Ed tech provider GotIt! Education has announced the general availability of MathGPT, an AI tutor and teaching assistant for foundational math support.

  • person signing a bill at a desk with a faint glow around the document. A tablet and laptop are subtly visible in the background, with soft colors and minimal digital elements

    California Governor Signs AI Content Safeguards into Law

    California Governor Gavin Newsom has officially signed off on a series of landmark artificial intelligence bills, signaling the state’s latest efforts to regulate the burgeoning technology, particularly in response to the misuse of sexually explicit deepfakes. The legislation is aimed at mitigating the risks posed by AI-generated content, as concerns grow over the technology's potential to manipulate images, videos, and voices in ways that could cause significant harm.

  • white desk with an open digital tablet showing AI-related icons like gears and neural networks

    Elon University and AAC&U Release Student Guide to AI

    A new publication from Elon University 's Imagining the Digital Future Center and the American Association of Colleges and Universities offers students key principles for navigating college in the age of artificial intelligence.

  • abstract technology icons connected by lines and dots

    Digital Layers and Human Ties: Navigating the CIO's Dilemma in Higher Education

    As technology permeates every aspect of life on campus, efficiency and convenience may come at the cost of human connection and professional identity.