Microsoft on Tuesday released two out-of-cycle patches to fix vulnerabilities found in Active Template Library, a set of software developer tools used in the creation of COM and ActiveX modules. ActiveX modules are commonly used in Microsoft Internet Explorer and are traditional targets for hackers.

Existing zero-day vulnerabilities are being exploited and are the main reason Microsoft released these unexpected patches, according to Don Leatham, senior director of solutions and strategy for Lumension. The critical-rated MS09-034 and moderate-rated MS09 patches aim to plug the holes.

"This pair of patches are part of what Microsoft is calling a 'defense in depth strategy,' which essentially boils down to a patch to stop exploits actively attacking Microsoft IE and a patch that fixes the development tools that can produce compromised code," Leatham said. "Microsoft is asking the development community to quickly update their tools and reissue any COM, OLE or ActiveX components that may be affected."

More Vulnerable than Ever?

Although Microsoft has protected against the kill-bit bypass and patched the public ATL vulnerabilities, there has been no mention or reference to fixing the issue in msvidctl.dll itself, according to Tyler Reguly, a senior security researcher with nCircle. Microsoft has stated that MS09-034 will "help protect against exploitation," but the company has not officially stated that a proper patch is available or will be made available.

"One has to question what the release of the ATL patch (MS09-035) means for other software vendors. We also have to wonder if they are now more vulnerable than they were previously. They now have to obtain this patch and recompile and release their tools," Reguly said. "This means until that process can occur, malicious individuals can reverse the patches to pinpoint each of the vulnerabilities and target third-party software. It's a race to see who will get there first, and the vendors didn't get a head start."

How Serious is the Threat?

The threat for IE users is significant. A user browsing the Internet with a vulnerable version of Internet Explorer can get his or her PC taken over simply by looking at a Web site with malicious tables or ATL objects.

"To increase their reach, attackers have been using Web application vulnerabilities to put these type of exploits on common, non-malicious sites that end users would not suspect. Once infected, the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted," said Amol Sarwarte, manager of the Qualys Vulnerabilities Research Lab.

"This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed."

The Problem with Placebo Patches

Reguly advises IE users to install MS09-034 as soon as possible and is glad to see that Microsoft rushed out protection against the ActiveX kill-bit bypass.

"I'm glad to see that Microsoft rushed out protection against the ActiveX kill-bit bypass. I've been vocal in the past about my concern over 'placebo patches' (MS09-032, for example), and this bypass proved that my concern was well placed," Reguly said. "My only hope is that Microsoft won't see the fixing of this bypass as a valid excuse to continue to publish these 'placebo patches.' With luck, hopefully this means they will always take the response of issuing a proper patch."