Top Tech News HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR THURSDAY FEBRUARY 23

Close Search Box
Top Tech News
NETWORK SECURITY
Out-of-Cycle Patches May Make IE Vulnerabilities Worse
Posted July 29, 2009
Out-of-Cycle Patches May Make IE Vulnerabilities Worse
Next Story
EARLIER
The Ongoing Vigil To Keep Data Secure
THIS STORY
Out-of-Cycle Patches May Make IE Vulnerabilities Worse
Next Story
LATER
Clampi Worm Puts Online Financial Transactions at Risk
YOU ARE HERE:   HOME arrow NETWORK SECURITY arrow THIS STORY
NEWS OPS

By Jennifer LeClaire. Updated July 29, 2009 10:41AM

SHARE

ALSO SEE

Microsoft on Tuesday released two out-of-cycle patches to fix vulnerabilities found in Active Template Library, a set of software developer tools used in the creation of COM and ActiveX modules. ActiveX modules are commonly used in Microsoft Internet Explorer and are traditional targets for hackers.

Existing zero-day vulnerabilities are being exploited and are the main reason Microsoft released these unexpected patches, according to Don Leatham, senior director of solutions and strategy for Lumension. The critical-rated MS09-034 and moderate-rated MS09 patches aim to plug the holes.

"This pair of patches are part of what Microsoft is calling a 'defense in depth strategy,' which essentially boils down to a patch to stop exploits actively attacking Microsoft IE and a patch that fixes the development tools that can produce compromised code," Leatham said. "Microsoft is asking the development community to quickly update their tools and reissue any COM, OLE or ActiveX components that may be affected."

More Vulnerable than Ever?

Although Microsoft has protected against the kill-bit bypass and patched the public ATL vulnerabilities, there has been no mention or reference to fixing the issue in msvidctl.dll itself, according to Tyler Reguly, a senior security researcher with nCircle. Microsoft has stated that MS09-034 will "help protect against exploitation," but the company has not officially stated that a proper patch is available or will be made available.

"One has to question what the release of the ATL patch (MS09-035) means for other software vendors. We also have to wonder if they are now more vulnerable than they were previously. They now have to obtain this patch and recompile and release their tools," Reguly said. "This means until that process can occur, malicious individuals can reverse the patches to pinpoint each of the vulnerabilities and target third-party software. It's a race to see who will get there first, and the vendors didn't get a head start."

How Serious is the Threat?

The threat for IE users is significant. A user browsing the Internet with a vulnerable version of Internet Explorer can get his or her PC taken over simply by looking at a Web site with malicious tables or ATL objects.

"To increase their reach, attackers have been using Web application vulnerabilities to put these type of exploits on common, non-malicious sites that end users would not suspect. Once infected, the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted," said Amol Sarwarte, manager of the Qualys Vulnerabilities Research Lab.

"This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed."

The Problem with Placebo Patches

Reguly advises IE users to install MS09-034 as soon as possible and is glad to see that Microsoft rushed out protection against the ActiveX kill-bit bypass.

"I'm glad to see that Microsoft rushed out protection against the ActiveX kill-bit bypass. I've been vocal in the past about my concern over 'placebo patches' (MS09-032, for example), and this bypass proved that my concern was well placed," Reguly said. "My only hope is that Microsoft won't see the fixing of this bypass as a valid excuse to continue to publish these 'placebo patches.' With luck, hopefully this means they will always take the response of issuing a proper patch."

Tell Us What You Think
Comment:

Name:

MORE IN NETWORK SECURITY

Next Article >

NETWORK SECURITY SPOTLIGHT
This Spotlight
Is Brought to You By:

INSIDE TOP TECH NEWS NETWORK SITES SERVICES BENEFITS