Microsoft released an emergency patch on Tuesday to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other Web application components that has been targeted in attacks.
A critical patch for all versions of IE will protect consumers, while a security update for Visual Studio will help developers fix the controls and components they built that could be affected.
Microsoft also has had discussions with Adobe, Sun, and Google about some components involving their software that are affected, said Mike Reavey, director of the Microsoft Security Response Center. He declined to elaborate.
Internet Explorer users running Flash Player and Shockwave Player are vulnerable, Adobe said in a blog post that contains links to the Adobe security bulletins for those products.
A Google representative said the company has been working with Microsoft on the issues but declined to comment further. And a Sun representative did not respond to a call seeking comment.
Cisco will release free software updates for any of its software that is affected by the vulnerability and is making available workarounds that mitigate the issue, the company said in a detailed advisory.
The company released two security updates that deal with a vulnerability in Microsoft's Active Template Library, which is used to build components for Web applications and which could be targeted to take control of computers of Web surfers visiting sites hosting malicious code.
The critical update, MS-09034, is targeted at IE users and the other, MS-09035, is targeted at Visual Studio developers and is rated moderate. It affects Visual Studio 2005 and 2008.
"A library can get used in a lot of places, and vulnerabilities in libraries are challenging," Reavey said. "It's an industry-wide problem when (vulnerabilities) do happen."
"The vulnerability is in the controls, not IE, however to provide protections while developers update the controls, IE (versions that are patched will block attacks)," he said.
The company warned on Friday that a security update would come on Tuesday instead of waiting for the next Patch Tuesday cycle on August 11. This is only the ninth out-of-band release Microsoft has had, according to Reavey.
Microsoft first warned about the ActiveX issue on July 6, saying a vulnerability in its Video ActiveX Control could allow an attacker to take control of a PC if the user visits a malicious Web site and attackers were exploiting the hole. The company offered a workaround for the issue.
During the July Patch Tuesday release the following week, Microsoft still did not have a patch ready and was recommending a manual "kill bit" method to disable ActiveX, or sending customers to a "Fix it for me" Web site.
However, researchers figured out a way to get around the kill bit protection mechanism, thus rendering it ineffective and exposing the system to attack, said Eric Schultze, chief technology officer at Shavlik Technologies.
"Some security researchers found that they were able to bypass the kill bit function and still execute certain controls," he said in a statement on Tuesday. "A presentation on how this is done is slated for tomorrow afternoon at the Black Hat Conference" in Las Vegas.
"We were aware of limited attacks on the Microsoft kill bit control where the underlying issue was this vulnerability. As a result of those attacks we released the bulletin to protect customers...but that created chatter," Reavey said. "We saw more details released and we had these updates ready so we released them now instead of waiting for (attacks) to get worse."
The IE patch also resolves three privately reported vulnerabilities that could allow remote code execution if a user views a specially crafted Web page using the browser.
Tyler Reguly, senior security researcher for nCircle, criticized Microsoft for not fixing the underlying issue with a proper patch and said the update could put other software vendors at risk. "Although Microsoft has protected against the kill bit bypass and has patched the public ATL vulnerabilities, there has been no mention or reference to fixing the issue in msvidctl.dll itself," he wrote in a statement. "One has to question what the release of the ATL patch means for other software vendors," he added. "We also have to wonder if they are now more vulnerable than they were previously. They now have to obtain this patch and recompile and release their tools. This means until that process can occur, malicious individuals can reverse the patches to pinpoint each of the vulnerabilities and target third-party software. It's a race to see who will get there first, and the vendors didn't get a head start."
In response, a Microsoft representative provided this comment: "As part of our overall response to the ATL issue, we are continuing our investigation for Microsoft components and controls that may be affected by the ATL issue and will update customers as appropriate throughout the process." More information about the vulnerabilities and fixes is in this advisory. Microsoft also scheduled a Webcast at 1 p.m. PDT on Tuesday to answer customer questions.
Updated at 5:53 p.m. PDT with Adobe and Cisco information, Microsoft response to nCircle; and at 11:52 a.m. and 1:20 p.m. with reaction, more background, and a comment from Google.
Microsoft on Tuesday issued patches to fix critical vulnerabilities in DirectShow and Video ActiveX that have been targeted in attacks, as well as fixes for holes in Embedded OpenType Font Engine and Microsoft Publisher that could allow someone to remotely take control of the PC.
Overall, the six "Patch Tuesday" updates fix nine vulnerabilities in Windows, Microsoft Office, Internet Security and Acceleration Server, Virtual PC, and Virtual Server.
The three DirectShow vulnerabilities could allow an attacker to remotely run code on the machine if a user opened a specially crafted QuickTime file. Microsoft warned of exploits against one of the holes in May.
The fix for the ActiveX control addresses a vulnerability that could allow remote code execution if someone viewed a malicious Web page via Internet Explorer using the ActiveX control. Microsoft offered a workaround for the hole last week.
Affected software for the critical updates is Windows 2000, Windows XP, Windows Vista, and Windows Server 2003 and 2008. The versions of Direct X affected are DirectX 7.0, 8.1, and 9.0.
The noncritical updates, rated "important," affect 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2006, Microsoft Virtual PC 2004 and 2007, and Microsoft Virtual Server 2005 R2.
In addition, Microsoft updated its Malicious Software Removal Tool (downloadable here) to remove the Win32/FakeSpypro rogue security program designed to trick people into paying for alleged security software they don't need.
Meanwhile, a comprehensive update for the Office Web Components vulnerability affecting Excel, which the company said on Monday was being exploited in attacks, was not yet ready for broad distribution, according to Microsoft. The company is urging customers to apply the automatic "Fix It" workaround, provided in Knowledge Base Article 973472.
- prev
- 1
- next
