Hosts: Christopher Budd, Security Program Manager Jonathan Ness, Security Development Lead Website: TechNet/security Chat Topic: July 2009 OOB Security Bulletin
Date: Tuesday, July 28, 2009**
Q: After applying MS09-035 will end users see any changes to their user interface that would be unusual or different to normal when working with ActiveX controls in Internet Explorer? For example, unusual dialog boxes?
A: No, users should see no change in their standard interface.
Q: Sophos claims there are Proof of Concept (PoC) code samples. Are there any malware in the wild yet?
A: We are aware of active attacks on the msvidctl ActiveX component (see MS09-032). We are aware of a demonstration video available. However, we have seen no full PoC regarding the issues we released today.
Q: Are any of these vulnerabilities being actively exploited in the wild?
A: We are not aware of any active attacks on the two bulletins released today with the exception of those already discussed in relation to the msvidctl ActiveX component (see MS09-032).
Q: If ActiveX controls are not enabled in Internet Explorer are you still vulnerable?
A: Disabling ActiveX controls will mitigate the issues discussed in MS09-035. See Security Advisory 973882 for a full list of mitigations and workarounds. If ActiveX controls are disabled, then there is no risk to our customers.
Q: Are the patches for Internet Explorer needed if we have no applicable Visual Studio clients?
A: Yes. While MS09-034 and MS09-035 share an underlying issue, they relate to different aspects of it. Also the Internet Explorer update contains fixes for additional, unrelated items.
Q: If we install the 2003 or 2005 VC++ redistributable on all machines, but not the associated hotfix for the IDE, will that break anything for the developers with the IDE?
A: No, installing the redistributable updates will only make the update available to runtime use and not design time. This means that the developer will still be using an unpatched version of ATL even though the runtime experience is patched
Q: There has been a lot of speculation dubbing this Conficker 2.0. How does this exploit compare to Conficker?
A: This has no relationship to Conficker in any way.
Q: Why does this update not replace MS09-032?
A: MS09-032 is specific to msvidctl, the OOB update takes care of the other issues in ATL vulnerabilities. Furthermore, the msvidctl was using a private version of the ATL which was not publicly available.
Q: Is there an easy way to identify Internet Explorer ActiveX Controls that use the defective ATL?
A: All ATL versions except VS 2010 Beta are affected. Please refer to the SRD blog for developer deep dive and Visual Studio’s KB for steps to tell whether your ActiveX control is indeed affected or not.
Q: What was the name of the exploited control again?
A: We are aware of exploits on msvidctl (addressed in MS09-032), but many controls can be affected by this issue. We are not aware of any further exploits.
Q: This is specific to the Visual Studio patch. After the patch is installed (IDE update or C++ runtime updates), is the old version, which still has the vulnerability, be installed on the workstation? Or will it be replaced?
A: We recommend that you apply both the runtime and design-time patches for a developer machine running Visual studio. If you install both then the old bits will be replaced, if you install one or the other of the run/design-time updates then the other patch will not be applied and affected components will still be the old versions
Q: How do can we test for ActiveX controls that may be affected. We whitelist our controls so we are not sure what to test for?
A: As part of the iCasi partnership (which Microsoft is a member) Verizon Business is providing a no charge scanning service so customers can test controls, further information can be found here http://codetest.verizonbusiness.com/
Q: If a developer has a control that is vulnerable and does not recompile the control and someone who is using Internet Explorer has MS09-034 installed, will they be blocked from using the control in general or only from malicious code injection etc?
A: Internet Explorer won’t block the general use of the control. Internet Explorer would be protected from malicious code injection.
Q: Installing the Microsoft Visual C++ 2008 Redistributable ( KB973551) download pointed to by MS09-035 on a machine that doesn’t have any prior Visual C++ 2008 installed causes the current Microsoft Baseline Security Analyzer MBSA scanner to actually trigger MS09-035 as MISSING from the system!
A: The Microsoft Visual C++ 2008 Redistributable (KB973551) should not cause the MBSA scanner to trigger MS09-035 as missing, we recommend you call Customer Support Services for free support at 1-800-MICROSOFT and they should be able to help you debug the issue.
Q: The Advanced Notification stated that “customers who are up to date on their security updates are protected from known attacks related to this out of band release”. What is the benefit to applying the OOB patch if we are up to date with critical patches?
A: While the MS09-032 addresses known exploits, other components and controls are still vulnerable. MS09-034 provides mitigation in Internet Explorer to protect from potential attacks, and MS09-035 allows developers to correct their components and controls
Q: Are these vulnerabilities related to diffusion of new (already known) virus?
A: These issues are not related to any known virus or malware activity
Q: In these attacks against ATL, does Malware software pick these up as abnormal behavior in the event of an attack?
A: While antimalware software, antivirus, IDS may detect attacks using this vulnerability, they should be considered part of a layered defense and not a complete defense solution on their own.
Q: IF we were planning to deploy MS09-019, should stop planning for that an apply MS09-034?
A: MS09-034 is a Cumulative update and contains the fixes contained in MS09-019. Microsoft encourages customers to apply the latest cumulative critical update as soon as possible to protect customers.
Q: Will these patches be included in next month’s Patch Tuesday rollup?
A: MS09-034 and MS09-035 were released today as an “out of band” release. As they were released in the calendar month of July, they are included in the July summary MS09-Jul. They are not included as part of the August 2nd Tuesday release, and should be considered “complete” at this time.
Q: I can’t install Internet Explorer 8 on two of my servers due to specific programs (Microsoft Virtual Server not working properly with Internet Explorer 8). Is there any problem not upgrading to Internet Explorer 8?
A: As long as the MS09-034 update is installed then there are not specific problems in updating to Internet Explorer 8. That said, it is worth highlighting the fact that Internet Explorer 8 provides further security improvements (as it is the latest version)
Q: Will we need to recompile programs to be covered, or is just using the updated runtime like Visual C++ 2008 SP1 ATL enough?
A: In most cases a recompilation will be needed, just updating the library might not be sufficient. Please review the guidance on the resource article provided by Visual Studio team.
Q: Is Visual Studio 6 affected by the vulnerability for MS09-035?
A: Visual Studio 6 is not under mainstream support; please contact your TAM or CSS to understand how to proceed.
Q: Do these vulnerabilities only refer to ActiveX controls? Meaning there are no other OBJECTS affected?
A: All COM controls could be affected depending on whether it uses the affected functions or not. In theory, if your code can feed non-trusted data to CComVariant::ReadFromStream, you might be affected. Please refer the decision tree in Visual Studio’s KB for more details.
Q: Can Microsoft provide info about current and future ActiveX controls that are being killbitted so Webmasters can scan their sites to see if they are in use? This will be a critical issue if Microsoft issues a killbit for an orphaned control without an owner.
A: At this time we are still investigating other impacted controls, so we cannot provide any further information at this time.
Q: Are you saying that the killbits vulnerability has been fixed? http://www.computerworld.com/s/article/9135959/Researchers_clam_up_about_Microsoft_s_rush_patches?taxonomyId=17&pageNumber=2
A: Microsoft’s investigation into the Microsoft Active Template Library vulnerabilities is ongoing. Customers using Internet Explorer with Security Update MS09-034 installed will receive defense in depth mitigations that help mitigate successful exploitation of the security vulnerabilities that would lead to killbit bypass. Developers will still need to issue updated controls or components, if vulnerable, as indicated in MS09-035.
Q: Are the vulnerabilities merely just conduits to allow attacks OR would someone actually have to hijack the controls and upload a bad version?
A: The vulnerability is in the ATL header and is part of any control compiled with the vulnerable header that uses the specific affected functions from within ATL.
Q: I think I might have misunderstood the targeted audiences. Is MS09-034 more for end users and developers and MS09-035 more for people who have Microsoft Developer Studio installed?
A: MS09-034 provides mitigations available for all users. MS09-035 is targeted to developers to correct their potentially vulnerable components and controls
Q: If a machine does not have the affected (or any) version of Visual Studio, does the MS09-034 patch still apply? If I understood correctly, they both address two different attack vectors for the same underlying issue within the ATL library.
A: MS09-034 provides an update for Internet Explorer and is not dependent on Visual Studio being present on the system
Q: When are these going to be available for Windows Server Update Service WSUS for deployment?
A: The catalogs for WSUS have already been published (they are always released at the same time as the bulletins). If you are experiencing any delays you may wish to investigate possible proxy caching latency between you and microsoft.com.
Q: Does this affect Microsoft XML Core Services (MSXML) controls we may have whitelisted?
A: Based on our investigation so far, MSXML is not determined to be vulnerable.
Q: By releasing and installing MS09-034 & MS09-035 through WSUS, does that secure us. Or do we need to look out for additional updates, i.e. other vendors?
A: It is likely that other vendors are impacted by this issue as well. Please contact other appropriate vendors as needed.
Q: Can the protections set in MS09-035 be enabled or disabled by a group policy and/or registry settings?
A: You can reference Security Advisory 973882 for the workarounds and additional guidance for deployment
Q: Are others having problems with these downloads? WSUS is having problems downloading the Visual Studio Service Pack.
A: We’re not aware of any issues and have validated & verified the availability of all of the updates. You may wish to look into possibly proxy caching latency between you, and microsoft.com. You also may wish to manually click on the download links within the bulletins to further verify their ability.
Q: On a clean BASE XP SP3 machine with no V++ redistributables installed at all (and a clean MBSA scan status) installing either “Microsoft Visual C++ 2008 Redistributable Package” (KB973551) or “Microsoft Visual C++ 2008 Service Pack 1 Redistributable
A: The scenario you describe should not happen because the updated version of the Microsoft Visual C++ 2008 Redistributable (KB973551) contains the fixed version of the binaries so a scan should not flag the security update as required. Please call Customer Support Services at 1-800-MICROSOFT from free support for security updates.
Q: MS09-034 is only really critical for systems with users that actively browse ‘web content’?
A: MS09-034 includes other security fixes (unrelated to ATL), so we encourage everyone to apply the update. If Internet Explorer is not used on your environment you should assess the risk based on the binaries being updated.
Q: Since very little web browsing is performed on data center servers, is it critical to get these patches applied to our servers, or can this wait a few weeks until our standard maintenance window?
A: MS09-034 includes other security fixes not related to the Internet Explorer mitigations that will block ATL. Based on this you should evaluate how the impacted binaries are used in your specific scenario to assess the risk. That said, we highly encourage all our customers to apply the update to avoid being vulnerable.
Q: Killbits are trustworthy again after the MS09-034 update, right? So, MS09-034 also includes killbits for all vulnerable ActiveX controls whitelisted by default in Internet Explorer 7 and 8?
A: ActiveX security policy, such as killbits, work as expected after the Internet Explorer mitigation release with MS09-034 is applied on the system. Also, MS09-034 does not include killbits, but instead defense-in-depth fixes were introduced to block all known ATL vulnerabilities. As our investigation continues, further killbits might be released.
Q: Can you elaborate on the killbit circumvention flaw. Is this a broad-based circumvention or specific to certain controls?
A: The issue could circumvent security controls in ActiveX and effectively bypass any killbit on the system.
Q: Do client machines which have received the Visual C++ 2005 Runtime Libraries need MS09-035?
A: Yes, machines that have installed earlier versions of the Visual C++ 2005 Runtime Libraries should install the newer (fixed) version included as part of MS09-035.
Q: Does this update fix KB973472? If not, do you know when this will be addressed?
A: This fix for KB973472 is not included in MS09-034. The issue is under investigation. When we have a comprehensive fix for customers we will ship an update
Q: So, assuming that I have probably currently installed several vulnerable ActiveX controls, how can an attacker exploit this? Does he just have to call them? And if so, is the user prompted about this again?
A: At this time we are not aware of an exploit that can take advantage of arbitrary controls. For example, regarding msvidctl which was fixed as part of MS09-032 update two weeks ago (in the July release) further code was needed to trigger the vulnerability. At this time we are not aware of any generic way of exploiting ActiveX controls. In order to understand whether your controls are vulnerable please submit them to http://codetest.verizonbusiness.com
Q: How do I push that big red button of the second Internet Explorer mitigation mentioned that is not enabled by default? I mean, I have to assume that my customers are pushing that button and have to evaluate if my controls still work, right?
A: Correct. We highly encourage testing all controls and LOB to ensure that this mitigation does not break any applications. Further information can be found on Internet Explorer bulletin MS09-034 and on the SRD blog http://blogs.technet.com/srd
Q: How to set the Feature Control Key?
A: The feature control key instructions are included in MS09-034 in the general FAQ section. There are more details regarding feature control keys located here: http://msdn.microsoft.com/en-us/library/ms537184(VS.85).aspx
Q: With the ATL vulnerability, will developers need to recompile and distribute their application code after they install the patch for Visual Studio… in order for the vulnerability to be mitigated for ActiveX controls?
A: After you install both the runtime and design-time updates and you’ve confirmed that your component or control is affected, you should follow the guidance on the developer page http://msdn.microsoft.com/en-us/visualc/ee309358.aspx to fix and rebuild your control or component. If you’ve reviewed that guidance and your component or control is not affected then you won’t need to rebuild and release after apply the updates.
Q: Windows 7 has reached the Release To Manufacturer (RTM) stage, but not yet available to the public. Will the Internet Explorer patch be in the RTM bits, and will there be any patches for the Release to Customers (RC) version?
A: Windows 7 RTM is not vulnerable to the vulnerabilities in the Internet Explorer Security Update. There are no known controls exposed to these issues included in Windows 7 RTM. However, the Internet Explorer Security Update contains a number of defenses in depth changes; the most critical of these defense in depth changes are included in Windows 7 RTM. Windows 7 also benefits from improved security and privacy protections such as /NX and DEP which are enabled in Internet Explorer 8 by default. Customers running versions other than Windows 7 RTM are unsupported.
Q: If ActiveX libraries are enabled in Firefox, will this update fix issues within Firefox? Is it vulnerable?
A: The Internet Explorer bulletin does not address any potential issues in Firefox or any other browsers.
Q: In what scenario can an attacker exploit this? Must the ActiveX control be written by the attacker? If not, why would it make sense for an attacker to use a third party control if he can write his own? A: msvidctl which was fixed as part of MS09-032 was being exploited through Internet Explorer. Furthermore, since the vulnerability is on the ATL header and library, it will depend on how that piece of code is used to understand the risk and exploitation technique. The ActiveX control does not need to be written by an attacker. A control written by the attacker would not be digitally signed using a certificate issued to Microsoft or by another vendor who’s digital certificate is signed by a signing authority in the trust chain of the user’s machine. Internet Explorer would not load this ActiveX control without a warning about an unsigned/unsafe ActiveX control.
Q: Can we expect to see more updates in the near future (similar to MS09-032) as Microsoft does their own ‘code reviews’?
A: We are currently investigating other potential issues. As the investigation unfolds other updates will be released as needed.
**Q: What can this break? Are there any examples of sites that don’t work once the Internet Explorer patch is applied?
A: With the “on-by-default” Internet Explorer mitigation enabled, application compatibility impact is considered to be very unlikely / minimal. With the “off-by-default” Internet Explorer mitigation enabled manually, OBJECT tags that use the DATA attribute legitimately may no longer work. See Internet Explorer Mitigations for ATL Data Stream Vulnerabilities blog post for more information.
Q: Does this mean that any ActiveX control built by any third party might contain remote code execution vulnerability due to the ATL vulnerability?
A: Yes, Microsoft has been working with third parties to identify vulnerable controls
Q: If active content is disabled is this mitigating the vulnerability?
A: Yes, if active content is disabled the vulnerability is mitigated
Q: Using Internet Explorer 6 we do not allow active content to run in files on My Computer (Internet Explorer settings). Does this vulnerability bypass this mitigating control for MS09-0034 or MS09-035?
A: With this mitigation in place, attacks in the Local Machine Zone would be blocked. For example, if a local HTML file was attempting to exploit these vulnerabilities. But the primary attack vector, via the Internet zone, would not be blocked; you could still browse to malicious web sites and an exploit could succeed.
Q: I am trying to download the patches with System Center Configuration Manager SCCM / WSUS and it’s taking over an hour now. Is there high traffic right now for downloading these? A: We can confirm that the microsoft.com systems are running normally. However we cannot comment as to the state of any part of the internet link between microsoft.com, and your systems,
Q: Do we need to install the MS09-035 runtime patches to end user (non-developer) machines? A: The runtime patches for MS09-035 are updated versions of the Visual C++ Redistributable. Being a redistributable package, by definition this is redistributed with numerous non-Microsoft applications. Therefore any PCs that have an affected version of the Visual C++ Redistributable should install the runtime updates for the corresponding Visual C++ Redistributable version. PCs that have Visual Studio installed should install both the runtime and the design time updates.
**Q: Do other products in the Microsoft line install the ATL library?
A: A number of components and controls, within Microsoft and third parties, use ATL. That doesn’t mean that all these controls are vulnerable, as it depends on specific decisions made by the developer. Our investigation in Microsoft controls continues, however MS09-034 protects from the known ATL vulnerabilities while browsing the internet for any vulnerable controls.
Q: Regarding MS09-034: What guidance do you have for enterprise customers to determine if the optional defense in depth option (FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE) should be enabled?
A: Enterprise customers should evaluate if LOB applications might be impacted. For further information look at http://blogs.technet.com/srd
Q: Hello, does the MS09- 034 patch mitigate the need to turn on the killbits as recommended in Security Advisory 973472?
A: It is recommended to turn on the killbits as stated in the Security Advisory 973472, as well as apply the MS09-034 patch.
Q: Do we need to install the MS09-035 runtime patches to end user (non-developer) machines? A: MS09-035 is a security update for developers. Customers who are not developers, and do not use Visual Studio or the public versions of the Microsoft Active Template Library (ATL), do not need to install MS09-035 but are strongly encouraged to download and install MS09-034 to benefit from improved defense in depth protections now available Internet Explorer.
Q: On what does it depend whether a third party ActiveX control is vulnerable?
A: You can refer to MSDN article http://msdn.microsoft.com/en-us/library/3ax346b7(VS.71).aspx for full details. This link is also provided in the bulletin FAQ of MS09-035
Q: What percent of third party ActiveX controls do you expect to be vulnerable? 1%? 10%? 50%? How large do you expect the overall number of vulnerable ActiveX controls to be?
A: We do not have the estimation so far for 3rd party controls. We are in the process of investigation.
Q: Does this mean that it is virtually impossible for AV vendors to detect the exploitation of this ATL flaw?
A: No, AV vendors have been provided signatures through the MAPP program and will still be able to provide signatures for various issues as they are detected.