Microsoft repairs central protection mechanism in Internet Explorer
Microsoft has issued updates for Internet Explorer and Visual Studio "out of band", between the regular monthly patch days, to mend the ActiveX support of Internet Explorer. Additionally, these updates plug another three critical security vulnerabilities in the browser. All versions, including Internet Explorer 8, are affected.
Many extensions to Internet Explorer are implemented as ActiveX controls, but the Active Template Library (ATL), one of the main resources for creating ActiveX controls, contains critical security vulnerabilities. The kill bit is a registry entry designed to prevent Internet Explorer instantiating an ActiveX control that contains known security vulnerabilities. Microsoft has used this mechanism hundreds of times in the past in order to take insecure ActiveX components out of circulation. Unfortunately, it turns out that this blockade can be circumvented, as three researchers intend to demonstrate at the Black Hat security conference today.
It isn't clear how many ActiveX components are actually affected by this problem, and even the current security advisories don't tell you. It may well be that Microsoft itself doesn't know yet, because besides its own ActiveX controls, third-party controls may also be vulnerable.
So Microsoft is rushing out these two updates to prevent possible disaster. One update for Internet Explorer is a quick fix to block the known ways of exploiting vulnerabilities in the ATL. The MS09-034 update also contains three further patches, each of which plugs a critical security vulnerability.
The real cause of the problem, however, is in the Visual Studio Active Template Library (ATL). This library for developing ActiveX controls contains a number of errors that make it possible to bypass the security mechanisms of Internet Explorer. With MS09-035, Microsoft is issuing an update for Visual Studio that's primarily aimed at developers. After installing it, they may have to recompile their software. The update affects all supported versions of Visual Studio, 7.0, 7.1, 8.0 and 9.0. An MSDN article explains how developers can find out whether their software is actually affected.
The way Microsoft combats the obvious weaknesses in its own rating system is interesting. On the whole, what we have here is an extremely critical problem that exposes ActiveX, a central Windows mechanism, to attack. And yet the update for Visual Studio is only given a medium rating: according to Microsoft's logic, Visual Studio itself is not under threat and users of that development environment aren't running any direct risk. The security advisory for the IE update only casually mentions the new protection against ATL problems, as an additional "defence-in-depth", and doesn't even give it a rating. So the patch gets the highest rating, "critical", because of the three other security vulnerabilities. You have to wonder how Microsoft would have justified the evident urgency if it hadn't had these updates ready.
It would also be interesting to know whether the situation has anything to do with an analysis by Halvar Flake, which Microsoft doesn't so much as mention. The German security expert diagnosed problems in the ATL in early July and said the kill bit gave insufficient protection.
Clearly, all Windows users should install the Internet Explorer update as quickly as possible in order to prevent their system being captured. Developers of ActiveX controls will have to familiarise themselves with the problems of the ATL as soon as possible and check their controls for possible vulnerabilities.
- MS09-034 Cumulative Security Update for Internet Explorer (972260)
- MS09-035 Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)