Microsoft released two emergency, out-of-band updates Tuesday, addressing flaws in the Active Template Library that affect Internet Explorer and Visual Studio.
To get security news and tips delivered to your inbox,
The update to Internet Explorer also addresses issues being identified in a presentation at the 2009 Black Hat USA conference Wednesday. Researchers plan to demonstrate how to bypass killbits that were set to protect a machine against unsafe ActiveX controls, according to a report Monday by IDG's Robert McMillan. Researchers Mark Dowd, Ryan Smith and David Dewey will show a way of bypassing ActiveX control killbits in their presentation, "The Language of Trust: Exploiting Trust Relationships in Active Content."
The Internet Explorer update blocks vulnerabilities in controls that have been developed using versions of the ATL. MS09-034 is rated critical and affects all versions of IE. The update also repairs three memory corruption vulnerabilities that leave IE vulnerable to any malicious ActiveX in the wild. The flaws could be exploited by an attacker to take complete control of an affected system, Microsoft said.
"Customers who are currently up to date on their security updates are protected from known attacks related to this out-of-band release," Mike Reavey, director of the Microsoft Security Response Center said in a statement.
The holes in Visual Studio could be potentially serious since the tool is used by developers and independent software vendors to build components used in Windows. MS09-035 addresses three flaws in the Active Template Library of Visual Studio that would enable developers to build vulnerable applications.
"To ensure customers are protected as quickly as possible, Microsoft is working to identify all vulnerable Microsoft-authored controls and components and will provide additional updates," Reavey said.
The ATL contains an uninitialized object vulnerability, a COM initialization vulnerability and a Null String vulnerability. The flaws can be exploited in drive-by attacks. An attacker can exploit the flaws in applications built using Visual Studio by setting up a malicious Web page.
"Patching urgently against this is recommended," said John Harrison, group product manager of Symantec Security Response. "One of aspects is you just don't know how pervasive a library may be and we've found previously that issues can show up in a variety of different software packages."
Technically some of the programs built inside of Visual Studio could be potentially vulnerable as well, said Jason Miller, the security data team manager at patch management vendor Shavlik Technologies LLC. Patching could be an issue for firms that have been building applications using Visual Studio, Miller said.
"It could be considered critical for companies out there using Visual Studio," Miller said. "If you are talking about a roll-out, this could take some time. They would have to repackage some of their DLLs if they determine they would be vulnerable by having their DLLs built by this product."