Adobe and Cisco extensions vulnerable to Microsoft's ATL problems
Microsoft's ATL problem is spreading. Many other software vendors are affected, among them Adobe and Cisco. The total number of vendors with vulnerable controls is currently unclear. In an interview with heise Security, Microsoft executive Andrew Cushman confirmed that it is not known how many ActiveX controls are affected. Cushman said this is the first time a Microsoft library has been affected by a security problem. According to the executive, Redmond appreciates that this patch not only affects corporate IT teams, but also requires action from software developers.
Cushman said that major developers of ActiveX controls, such as Adobe and Sun, received early information so at least their controls can be made safe. Adobe has confirmed that both the Flash and the Shockwave player use Microsoft's Active Template Library which has been patched. However, Adobe emphasise that it is only the ActiveX controls that are vulnerable, not the extensions for Firefox and other browsers. Adobe has already released a new version of the Shockwave player to fix the problem. The patch for the Flash player is to be integrated in the update scheduled for the 30th July to close a 0 day hole that is already actively being exploited.
Microsoft is unaware of whether Google is also affected by vulnerable controls, as Google has not issued a statement. Microsoft advises all software developers to scrutinise all their ActiveX controls for the current vulnerability and recompile them with the patched template if required. Those wishing to perform a quick check to establish whether a control is vulnerable can run a free online test provided by Verizon Business. The tool processes the compiled controls and returns a message stating whether the software is vulnerable. However, Verizon Business points out that the test may produce both false positives and false negatives, and that manual inspection of the source code remains the only definitive way of identifying vulnerabilities.
The Active Template Library is part of the Visual Studio development environment and is designed to simplify the development of ActiveX controls. The flawed segments are introduced when translating the extension, making the extension vulnerable as a result.
- Security advisory for Adobe Flash Player, Adobe advisory.
- Security Update available for Shockwave Player, Adobe update.
- Active Template Library (ATL) Vulnerability, Cisco advisory.
- Microsoft repairs central protection mechanism in Internet Explorer, a report from The H.