Microsoft's Emergency Patch Mess

At last day Microsoft released a pair of emergency software updates (Redmond calls them "out-of-band" updates). Yes, that's right folks: If you use Windows--and especially if you browse the Web with Internet Explorer - it's once again time to update.

The backstory to these patches is a bit complex, so here's the short version: A while back, Microsoft introduced several security flaws into a set of widely-used third-party software development tools, and today it's correcting that error by issuing an updated set of tools. Another update tries to block attackers from exploiting those weaknesses while third-party software makers figure out how to fix their code with the updated tools.

At issue is a faulty software development "template" or code library that Microsoft makes available to other software makers. This flawed template, known as an active template library or ATL, was shipped as part of Microsoft Visual Studio, a Web application development platform. This ATL helps developers create ActiveX controls, powerful components of Windows and Internet Explorer that were designed to allow Web sites to develop interactive, multimedia-rich pages.

The problem is that having a flaw in this software development template means that potentially all of the ActiveX controls crafted with that template may also be flawed.

A good example of a buggy ActiveX control produced by this flawed template came to light last month, when Microsoft warned that attackers were exploiting a flawed Video ActiveX control to break into Windows systems when users visited booby-trapped Web sites with IE. To blunt the threat from that vulnerability, Microsoft simply disabled that flawed Video ActiveX control in Windows, so that it could no longer be invoked by Web pages.

Or so Redmond thought. Turns out, disabling faulty controls isn't as effective as fixing them, as several security researchers presenting Wednesday at the Black Hat hacker conference in Las Vegas will show. Researchers Ryan Smith from Verisign iDefense, and David Dewey and Mark Dowd from IBM's X-Force team, will demonstrate how attackers can still exploit these buggy ActiveX controls, even after they have been disabled in Windows. The researchers have provided a teaser video of what they will present at Black Hat, at this link here.

In response to this threat, one of the patches Microsoft shipped today includes a fix for the flawed code library in Visual Studio that the company is urging developers to use to fix any ActiveX controls that may have been developed with the earlier version. The other patch pushed out today updates Internet Explorer so that it looks for and blocks any attempts to load ActiveX controls developed with the faulty code library.

"The reason we've released these out of cycle is that we were aware of attacks on [the Video ActiveX control] that were using the vulnerability in ATL, and we saw that more details about the issue were being disclosed, increasing the risk to customers," said Mike Reavey, director of the Microsoft Security Response Center. We decided to issue these updates now rather than wait for things to get worse."

Reavey declined to say just how many third party ActiveX controls or developers may need to revamp their code to fix this bug, but he said Microsoft has been reaching out to the most affected parties with guidance on how best to fix the problem. "That collaboration has been underway for a while," he said. "I don't want to go into specifics of who we've reported to or what status of that investigation is."

The company is urging developers who may be affected to check their ActiveX controls at Verizon's free ActiveX Control Testing site.

If you use Windows but browse the Web with a non-IE browser, you probably still want to apply this emergency Internet Explorer patch, for two reasons.

"Because IE is so tightly integrated with the operating system, there's a chance you could click on something in one application that would open something in IE, so it's best to be on the safe side," Shavlik's Schultze said.