Claims made that threats of exposure at Black Hat forced Microsoft to release out-of-band patches
The Internet Explorer issue was rated critical and the Visual Studio patch was rated moderate.
Eric Schultze, CTO at Shavlik, claimed that a flaw was introduced in the development tools maintained by Microsoft that was in a 'template' that helps developers create ActiveX controls. Any control built using this flawed template might be exposed to the security vulnerabilities discussed in today's bulletins.
The Visual Studio patch (MS09-035) corrects the flawed template (active template library or ATL) so that any controls built from this template going forward will be safe. The Internet Explorer patch (MS09-034) monitors all calls to ActiveX controls and prevents controls that are found to have been developed with the flawed template from executing.
Schultze said: “One such example of a vulnerable control built from the flawed template was the Video control issue discussed earlier this month and addressed in MS09-032. The Video control had been built from the flawed template library - it was this vulnerability that was being exploited in the wild that lead to the security advisory, MS09-032, and eventually the death of this control.
“Killing a control typically means setting a 'killbit' on the control. When the killbit is set, it means IE won't launch the control - thus keeping your machine safe. To date, Microsoft has issued 175 killbits via their cumulative killbit patches. However, some security researchers found that they were able to bypass the killbit function and still execute certain controls.
“In other words, if you installed MS09-032 to protect yourself from the Video control exploit, there is a chance that someone could still execute this attack against you because they bypassed the killbits set in the 09-032 patch.”
Schultze claimed that the MS09-034 patch protects against the killbit bypass problem, while the 09-035 patch also addresses the killbit issue, plus two other issues in the template library: one was an information disclosure issue and the other was a remote code execution flaw.
Andrew Clarke, senior vice president, international at Lumension, claimed that pressure from researchers who intended to reveal how to bypass a critical security mechanism in Internet Explorer at the Black Hat Conference yesterday had forced Microsoft to break its scheduled patch cycle.
Clarke said: “If you consider that this is only the third time in two years that Microsoft has officially released an out-of-band patch, and on the other occasions there were active exploits in the wild, you can grasp just how important it is that IT users ensure this update is applied.
“Computer users that browse the internet via Internet Explorer must view this patch as a code red. The patch, MS09-034 will add an additional layer of security to address the issues in Internet Explorer, which were patched just last Tuesday with a workaround solution that simply disabled the impacted code by default, calling it ‘fixed'. This new patch goes beyond the workaround, this time providing an actual fix to the underlying code issue.
“MS09-035 will handle issues within Visual Studio. Organisations implementing the patch within mission critical third party applications must test the out-of-band patch in a ‘non-production' environment to be sure the changes do not impact their mission critical application.”