Off-Cycle Patches Issued for Visual Studio and IE

Redmond released a security advisory Tuesday concerning its Active Template Library (ATL) technology, accompanied by two out-of-band application patches associated with the vulnerability.

Microsoft ranked the application patches as "moderate" for Visual Studio and "critical" for Internet Explorer. The IE patch contains "defense-in-depth" changes that are related to the Visual Studio bulletin.

Security mavens say such off-cycle security announcements are becoming more the rule than the exception. For instance, Tuesday's rollout marks the second out-of-band patch for IE in less than a year. The last one arrived in December, ahead of a massive security patch release for that month.

IE Patch
Tuesday's critical IE security update is cumulative and affects IE 5.01 and IE 6 Service Pack 1, running on supported editions of Microsoft Windows 2000. It also touches on IE 6, IE 7 and IE 8 sitting on all versions of Windows XP and Vista, as well as Windows Server 2003.

Because it's IE, IT pros should consider applying this patch.

"I'm not sure that I agree with Microsoft's labeling of the IE vulnerabilities as 'critical' and the ATL vulnerabilities as 'moderate,' but this falls back to Microsoft's habitual misuse of 'remote code execution'," said Tyler Reguly, senior security researcher with network security firm nCircle. "However, I'd still suggest patching as soon as possible. IE has such a large presence that it should not go unpatched for long."

Reguly said he questions what the release of the ATL security advisory will mean for other software vendors.

"We also have to wonder if they are now more vulnerable than they were previously," he explained.

What's unique about Microsoft's ATL patch is that it doesn't address specific risks, but just describes the likelihood of attacks. Instead of saying what the vulnerabilities are, Redmond states that holes "may be present in products built using the ATL." The patch is more preemptive in nature, experts say.

Visual Studio Patch
The Visual Studio security update touches on many Microsoft integrated development products in use: Visual Studio .NET 2003, Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005 Redistributable Package and Microsoft Visual C++ 2008 Redistributable Package.

Redmond said this patch is specifically for developers "who build and redistribute components and controls using ATL." The software giant added that developers familiar with the program should install the update and then "distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin."

The ATL flaw has allowed security fixes to be bypassed, at least in theory, according to Eric Schultze, chief technology officer at Shavlik Technologies.

"Researchers have found that some of the ATL flaws we were talking about earlier allowed them to bypass the killbit on controls that were built with the flawed templates," Schultze said. He counted 175 killbits that Microsoft has thus far released in cumulative killbit patches.

IT Ecosystem
With the Black Hat Security conference in full swing and Microsoft's pronouncement that it wants to collaborate with partners and vendors affected by this issue, the out-of-band patch release is a timely subject of discussion across the whole IT ecosystem.

"The out-of-band release significantly impacts both the MS development community and the IT community," said Don Leatham, senior director of solutions and strategy for Lumension. "Developers need to update any COM and ActiveX elements of their offerings and issue immediate updates, and IT managers should also review any commonly used Web applications in their organizations for use of ActiveX."

For its part, Microsoft said in its advisory statement that it is currently "working to provide guidance and information that ISVs [independent software vendors] can use to determine if their components and controls are affected and what they can do to address them."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • young man in a denim jacket scans his phone at a card reader outside a modern glass building

    Colleges Roll Out Mobile Credential Technology

    Allegion US has announced a partnership with Florida Institute of Technology (FIT) and Denison College, in conjunction with Transact + CBORD, to install mobile credential technologies campuswide. Implementing Mobile Student ID into Apple Wallet and Google Wallet will allow students access to campus facilities, amenities, and residence halls using just their phones.

  • lightbulb

    Call for Speakers Now Open for Tech Tactics in Education: Overcoming Roadblocks to Innovation

    The annual virtual conference from the producers of Campus Technology and THE Journal will return on September 25, 2025, with a focus on emerging trends in cybersecurity, data privacy, AI implementation, IT leadership, building resilience, and more.

  • illustration of a football stadium with helmet on the left and laptop with ed tech icons on the right

    The 2025 NFL Draft and Ed Tech Selection: A Strategic Parallel

    In the fast-evolving landscape of collegiate football, the NFL, and higher education, one might not immediately draw connections between the 2025 NFL Draft and the selection of proper educational technology for a college campus. However, upon closer examination, both processes share striking similarities: a rigorous assessment of needs, long-term strategic impact, talent or tool evaluation, financial considerations, and adaptability to a dynamic future.

  • DeepSeek on AWS

    AWS Offers DeepSeek-R1 as Fully Managed Serverless Model, Recommends Guardrails

    Amazon Web Services (AWS) has announced the availability of DeepSeek-R1 as a fully managed serverless AI model, enabling developers to build and deploy it without having to manage the underlying infrastructure.