Today we released Security Advisory 973882 and with it, two out-of-band security bulletins. These updates are MS09-034 (an Internet Explorer update) and MS09-035 (a Visual Studio update). At this time _for customers who have applied _ MS09-032_ we are not aware of any “in the wild” exploits that leverage the vulnerabilities documented in 973882 and MS09-035_. However, MS09-034 and MS09-035 work together to build further defenses against the known vulnerabilities in ATL.
Why release these security updates out-of-band?
While the vulnerability has been known to Microsoft for some time, additional information regarding these vulnerabilities has been growing over the past few weeks. And with the Black Hat and Def Con security conference getting people together around the same watering hole, natural curiosity means that risk to customers could increase as more information is disclosed. We’ve seen one active attack on an ATL vulnerability targeting the msvidctl.dll control. While all known attacks have been blocked with the release of MS09-032, rather than waiting for more risk and attacks on ATL vulnerabilities, we decided to proactively release these security updates to help protect customers and mitigate the risk in a more controlled manner. We believe the right thing to do is to help protect customers with out-of-band security updates in this unique situation where we anticipate the risk will increase before our next scheduled security update opportunity.
Why release two separate security bulletins?
The two security updates together address separate CVEs but are being addressed out-of-band because they are related. Allow me to explain:
The relevant CVEs warranting the out-of-band release are included in the Visual Studio bulletin (MS09-035) CVE-2009-0901 and CVE-2009-2493 (ATL header and libraries update), and are also discussed in Security Advisory 973882. These are the vulnerabilities in the ATL that could be exposed in various controls and are currently being discussed publicly. However, we’ve also released an Internet Explorer update. This is being released to help protect customers while developers update their controls as defense-in-depth measures in Internet Explorer that help prevent exploitation of all known ATL vulnerabilities discussed above. There are 3 other CVEs in the IE bulletin, but they aren’t related to the ATL issues. They’re included because Internet Explorer updates are cumulative, and separating them out from this release would have delayed the ability to release the defense-in-depth measures.
The bottom line, the CVE’s discussed in the Visual Studio Bulletin (MS09-035) and the ATL issues covered in Security Advisory 973882 create a level of risk which necessitates the out-of-band release.
What are the ATL vulnerabilities?
While there are several vulnerabilities described in Security Advisory 973882 and MS09-035 the vulnerability we think will get the most discussion is one in ATL that allows COM object instantiation despite the killbit security check. As many of our readers remember from our previous killbit-related blog posts, the killbit is a protection mechanism useful for blocking the use of vulnerable controls. Our most recent use of the killbit was to block MSVidCtl.dll from being loaded in Internet Explorer in MS09-032. So the ability to get past this important part of ActiveX security could allow an attacker to again be able to, for example, force MSVidCtl.dll to be loaded in Internet Explorer. Of course, a customer would first need to have another vulnerable control on the system for this security to be bypassed, and with the Internet Explorer update (MS09-034) we’ve blocked known ways for attacks to exploit this issue when customers are browsing the internet.
What do the two updates do?
MS09-035, the Visual Studio security update, provides the updated public ATL. The Visual Studio team released a resource page article with detailed instructions that developers can use to assess whether their controls are vulnerable and what changes to make to help secure their controls.
We have been working with major third party software vendors, helping them understand this problem and get fixes ready for their controls. More information on that can be found in our Microsoft EcoStrat Blog post here.
Also, as previously mentioned, to help protect customers while developers update their controls, we are releasing an Internet Explorer security update (MS09-034). This update includes new defense in depth protects that help mitigate IE loading and instantiating controls that contain the ATL vulnerabilities. Dave Ross wrote more detail about this IE mitigation.
Summary of guidance
Microsoft has released a lot of guidance today. Here is a summary with links:
- MS09-034: Internet Explorer bulletin
- MS09-035: Visual Studio bulletin
- Security Advisory (KB973882)
- Resource article, Active Template Library security update and developers
- SRD blog, ATL vulnerability developer deep dive
- SRD blog, Internet Explorer Mitigations for ATL Data Stream Vulnerabilities
- SRD blog, MSVIDCTL (MS09-032) and the ATL vulnerability
- SRD blog, Overview of the out-of-band release (this blog post)
- SDL blog, ATL, MS09-035 and the SDL
- MSRC blog, Advisory and Bulletins Released
- BlueHat blog, Security researcher perspective
- EcoStrat blog, Threat Complexity Requires New Levels of Collaboration
- Channel 9 video, “Inside the ATL Security Update” developer guidance
Recommendations
First, apply MS09-034, the Internet Explorer security update. This update will help keep you safer from attacks attempting to leverage the ATL vulnerabilities (like the already fixed MSVIDCTL one). Second, if you are a software vendor and ship controls built using the vulnerable ATL headers, please review the Visual Studio team’s guidance to determine whether your control is vulnerable and ship an updated version if needed.
We would be happy to ship a killbit so if you would like on please send your request to secure@microsoft.com.
Finally, send us any questions you have to switech@microsoft.com.
- Jonathan Ness, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no rights.*