-=PCTechTalk=- Emergency patches from M$ (Nota bene!!!!! -- Run your Windows update program today!!!!)

Microsoft released an emergency patch on Tuesday to protect Internet
Explorer users from a hole in technology used to build ActiveX controls and
other web application components that has been targeted in attacks. 
A critical patch for all versions of IE will protect consumers, while a
security update for Visual Studio will help developers fix the controls and
components they built that could be affected. 

Microsoft also has had discussions with Adobe, Sun and Google about some
components involving their software that are affected, said Mike Reavey,
director of the Microsoft Security Response Center. He declined to
elaborate. 

Internet Explorer users running Flash Player and Shockwave Player are
vulnerable, Adobe
<http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html>
said in a blog post that contains links to the Adobe security bulletins for
those products. 

A Google representative said the company has been working with Microsoft on
the issues but declined to comment further. And a Sun representative did not
respond to a call seeking comment. 

Cisco will
<http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml>
release free software updates for any of its software that is affected by
the vulnerability and is making available workarounds that mitigate the
issue, the company said in a detailed advisory. 

The company released two security updates that deal with a vulnerability in
Microsoft's Active Template Library, which is used to build components for
web applications and which could be targeted to take control of the
computers of web surfers visiting sites hosting malicious code. 

The critical update, MS-09034,
<http://www.microsoft.com/technet/security/Bulletin/MS09-034.mspx>  is
targeted at IE users. The other update, MS-09035,
<http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx>  is
targeted at Visual Studio developers, and is rated moderate. It affects
Visual Studio 2005 and 2008. 

"A library can get used in a lot of places, and vulnerabilities in libraries
are challenging," Reavey said. "It's an industry-wide problem when
[vulnerabilities] do happen." 

"The vulnerability is in the controls, not IE; however, to provide
protections while developers update the controls, IE (versions that are
patched will block attacks)," he said. 

The company warned on Friday <http://blogs.zdnet.com/security/?p=3803>  that
a security update would come on Tuesday instead of waiting for the next
Patch Tuesday cycle on 11 August. This is only the ninth out-of-band release
Microsoft has had, according to Reavey. 

Microsoft first warned about the <http://blogs.zdnet.com/security/?p=3703>
ActiveX issue on July 6, saying a vulnerability in its Video ActiveX Control
could allow an attacker to take control of a PC if the user visits a
malicious website and attackers were exploiting the hole. The company
offered a workaround for the issue. 

During the July Patch Tuesday release the following week, Microsoft still
did not have a patch ready and was recommending a manual 'kill bit' method
to disable ActiveX, or sending customers to a 'Fix it for me' website. 

However, researchers figured out a way to get around the kill bit protection
mechanism, thus rendering it ineffective and exposing the system to attack,
said Eric Schultze, chief technology officer at Shavlik Technologies. 

"Some security researchers found that they were able to bypass the kill bit
function and still execute certain controls," Schultze said in a statement
on Tuesday. "A presentation on how this is done is slated for tomorrow
afternoon at the Black Hat Conference [in Las Vegas]." 

Reavey said: "We were aware of limited attacks on the Microsoft kill bit
control where the underlying issue was this vulnerability. As a result of
those attacks we released the bulletin to protect customers...but that
created chatter. We saw more details released and we had these updates ready
so we released them now instead of waiting for [attacks] to get worse." 

The IE patch also resolves three privately reported vulnerabilities that
could allow remote code execution if a user views a specially crafted web
page using the browser. 

Tyler Reguly, senior security researcher for nCircle, criticised Microsoft
for not fixing the underlying issue with a proper patch and said the update
could put other software vendors at risk. 

"Although Microsoft has protected against the kill bit bypass and has
patched the public ATL vulnerabilities, there has been no mention or
reference to fixing the issue in msvidctl.dll itself," he wrote in a
statement. 

"One has to question what the release of the ATL patch means for other
software vendors," Reguly added. "We also have to wonder if they are now
more vulnerable than they were previously. They now have to obtain this
patch and recompile and release their tools. 

"This means until that process can occur, malicious individuals can reverse
the patches to pinpoint each of the vulnerabilities and target third-party
software. It's a race to see who will get there first, and the vendors
didn't get a head start." 

In response, a Microsoft representative provided this comment: "As part of
our overall response to the ATL issue, we are continuing our investigation
for Microsoft components and controls that may be affected by the ATL issue
and will update customers as appropriate throughout the process." 

More information
<http://www.microsoft.com/technet/security/advisory/973882.mspx>  about the
vulnerabilities and fixes in Microsoft advisory 973882 are available on the
TechNet site.

This article was originally posted on CNET News <http://www.news.cnet.com> .


 



---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything 
below it) and adjust the subject line as necessary.

To subscribe, unsubscribe or modify your email settings:
http://www.freelists.org/webpage/pctechtalk
OR
To subscribe to the mailing list, send an email to 
pctechtalk-request@xxxxxxxxxxxxx with "subscribe" in the Subject. To 
unsubscribe send email to pctechtalk-request@xxxxxxxxxxxxx with "unsubscribe" 
in the Subject.

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/

To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx

To join our separate PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------

Other related posts: