Network News

X My Profile
View More Activity

Microsoft's Emergency Patch Mess

Microsoft today released a pair of emergency software updates (Redmond calls them "out-of-band" updates). Yes, that's right folks: If you use Windows -- and especially if you browse the Web with Internet Exploder Explorer - it's once again time to update.

The backstory to these patches is a bit complex, so here's the short version: A while back, Microsoft introduced several security flaws into a set of widely-used third-party software development tools, and today it's correcting that error by issuing an updated set of tools. Another update tries to block attackers from exploiting those weaknesses while third-party software makers figure out how to fix their code with the updated tools.

On a scale of 1 to 10, with 10 being the most dire and far-reaching, Eric Schultze, chief technology officer at Shavlik Technologies, said he'd put the seriousness of today's out-of-band patch releases at an 8.

"When I was at Microsoft, there were a couple of issues that we referred to as 'Voldemort,' meaning they were so nasty you didn't even want to speak their names, and this one is kind of like 'Son of Voldemort,'" Schultze said. "You really start to lose confidence in Microsoft's security mechanisms when something like this happens."

At issue is a faulty software development "template" or code library that Microsoft makes available to other software makers. This flawed template, known as an active template library or ATL, was shipped as part of Microsoft Visual Studio, a Web application development platform. This ATL helps developers create ActiveX controls, powerful components of Windows and Internet Explorer that were designed to allow Web sites to develop interactive, multimedia-rich pages.

The problem is that having a flaw in this software development template means that potentially all of the ActiveX controls crafted with that template may also be flawed.

A good example of a buggy ActiveX control produced by this flawed template came to light last month, when Microsoft warned that attackers were exploiting a flawed Video ActiveX control to break into Windows systems when users visited booby-trapped Web sites with IE. To blunt the threat from that vulnerability, Microsoft simply disabled that flawed Video ActiveX control in Windows, so that it could no longer be invoked by Web pages.

Or so Redmond thought. Turns out, disabling faulty controls isn't as effective as fixing them, as several security researchers presenting Wednesday at the Black Hat hacker conference in Las Vegas will show. Researchers Ryan Smith from Verisign iDefense, and David Dewey and Mark Dowd from IBM's X-Force team, will demonstrate how attackers can still exploit these buggy ActiveX controls, even after they have been disabled in Windows. The researchers have provided a teaser video of what they will present at Black Hat, at this link here.

In response to this threat, one of the patches Microsoft shipped today includes a fix for the flawed code library in Visual Studio that the company is urging developers to use to fix any ActiveX controls that may have been developed with the earlier version. The other patch pushed out today updates Internet Explorer so that it looks for and blocks any attempts to load ActiveX controls developed with the faulty code library.

"The reason we've released these out of cycle is that we were aware of attacks on [the Video ActiveX control] that were using the vulnerability in ATL, and we saw that more details about the issue were being disclosed, increasing the risk to customers," said Mike Reavey, director of the Microsoft Security Response Center. We decided to issue these updates now rather than wait for things to get worse."

Reavey declined to say just how many third party ActiveX controls or developers may need to revamp their code to fix this bug, but he said Microsoft has been reaching out to the most affected parties with guidance on how best to fix the problem. "That collaboration has been underway for a while," he said. "I don't want to go into specifics of who we've reported to or what status of that investigation is."

The company is urging developers who may be affected to check their ActiveX controls at Verizon's free ActiveX Control Testing site.

If you use Windows but browse the Web with a non-IE browser, you probably still want to apply this emergency Internet Explorer patch, for two reasons.

"Because IE is so tightly integrated with the operating system, there's a chance you could click on something in one application that would open something in IE, so it's best to be on the safe side," Shavlik's Schultze said.

Also, the IE update includes fixes for three unrelated, critical vulnerabilities that hackers could exploit to install malicious code on your system just by tricking you into visiting a hacked or specially crafted evil Web site (with IE, of course, but then again, see warning No. 1).

Update, July 29, 8:07 a.m. ET: Corrected the name of Dewey's employer.

By Brian Krebs  |  July 28, 2009; 5:52 PM ET
Categories:  New Patches  | Tags: 0day, ie, microsoft patch  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft to Issue Emergency Patches Next Week
Next: Report: First Lady Safehouse Route, Govt. Mafia Trial Info, Leaked on P2P Networks


I am not sure about the following comment Microsoft made regarding the release of these latest patches to IE. "We decided to issue these updates now rather than wait for things to get worse." Why would Microsoft wait to release these patches? They should release them as soon as the patches are ready, especially if they are critical patches. The above statement makes me think Microsoft waits to release patches until things are bad. I do not understand that.

Posted by: bradto2 | July 28, 2009 7:57 PM | Report abuse

bradto2: Patches are a headache for companies, especially those with a stringent change control process. Many companies have several levels of testing before they install patches. Most of them are used to Microsoft releasing them on the second Tuesday of the month. Patches outside that normal release mean extra testing time, patching time, server unavailability, etc. And there is a concern that out of cycle patches may be more likely to have unintended consequences, which may be a bit unfair, but is reality. Therefore, to not upset corporate customers, where Microsoft makes a lot of their money, they try to keep the patches on a normal schedule. They don't want things to be bad, they want them to be smooth.

Posted by: drweidner1 | July 28, 2009 8:09 PM | Report abuse

When you hire cheap Indian guest workers, essentially indentured servants, lay off your experienced U.S. work force that actually had pride in the company, this is pretty much what you can expect. I have no sympathy for Microsoft and hope and pray that they wither and die. Same for IBM and Dell.

Posted by: mibrooks27 | July 28, 2009 8:20 PM | Report abuse

I really don't understand why people would ever purchase a Windows machine over an Apple Mac. While it is debatable whether Apple machines cost more, it certainly is true that if time spent dealing with viruses is added, Windows machines are far, far more expensive. I have told many people who are crying at the time spent on the phone with Microsoft technical support - "Should'a bought a Mac." When will these people ever learn?

Posted by: hoya91 | July 29, 2009 12:47 AM | Report abuse

Well, I've been using Dell PC's with XP since Y2K or so and have never been clobbered by a virus. Some buggy things have happened, but nothing running McAfee or a restore point didn't fix.

I do like Macs, and have a MacBook. If Apple would simply figure out a way to have the Ctrl button in the lower left corner instead of its Command button next to the space bar bar, I might well see the light.

Oh, and apologize for "think different."

Posted by: Georgetwoner | July 29, 2009 1:20 AM | Report abuse

For Christ's sake, all Microsoft products are faulty, all they make is garbage, they should be out of business, instead, they put their garbages everywhere and created such a problem. Microsoft should just get out of the software business and join BFI in the garbage business!

Posted by: sayNo2MS | July 29, 2009 7:20 AM | Report abuse

Come on, another round of patches. Microsoft puts out junk. I never buy any of their newest operating system. Still on XP glad I never went to that trash they call Vista. Anyone that did is just nutty. Windows 7? Not for a long time will I even consider it.

Posted by: Classic60 | July 29, 2009 8:41 AM | Report abuse

Microsoft went down a wrong path years ago by integrating so much stuff with IE. A web browser should browse the web. Period. Operating system stuff should NOT talk directly to the Internet.

Linux is looking better all the time...

Posted by: member8 | July 29, 2009 9:43 AM | Report abuse

What versions of IE are affected? I use Firefox almost exclusively, but certain websites REQUIRE IE to operate properly. I'm running XP SP 2 and IE 6 (I refuse to update to Vista or any higher version of IE unless IE 6 ceases to function. I apply all Microsoft patches as they are released, but where does this particular bug come into play version-wise?

Posted by: milano99_99 | July 29, 2009 9:47 AM | Report abuse

@hoya91 "I really don't understand why people would ever purchase a Windows machine over an Apple Mac"

Pretty simple. I built my own computer and I use it primarily as a video gaming computer. If I want to play any of the current, mainstream games, I have to run Windows. Building my own computer was cheaper than having it built and I could decide which components I wanted installed in it.

Posted by: Joran | July 29, 2009 10:03 AM | Report abuse

ActiveX is one of the great scourges of the computing world.

Re: Gaming -- I love how PC people say Macs are "toys for kids," but one of the common reasons cited for preferring Windows boxes is to play games! LOL I do audio engineering and algorithmic composition on my mac, no kid stuff there.

Posted by: jamshark70 | July 29, 2009 10:44 AM | Report abuse

Brian, this is a sneaky update by Microsoft, they have included Explorer 8 in this update despite my having rejecting it earlier. People be warned! Check the items before installing! I despair of ever getting Vista, nothing but trouble ever since!

Posted by: johnvincent | July 29, 2009 10:51 AM | Report abuse

to milano99_99:

IE 6, 7, and 8 are all affected by this update.

Posted by: wilson7 | July 29, 2009 11:09 AM | Report abuse

Loves it. You be better and better all the time. Kudos. On a scale of 1-5 I easily rate this a 10. Cheers. :)

Posted by: Rixstep | July 29, 2009 11:53 AM | Report abuse

Don't blame this mess on immigrants or foreigners.

This is Microsoft and its utter inability to understand the basic concept of computer security.

The entire concept of ActiveX is utterly flawed; there is NO WAY to make it secure. Microsoft should have thrown it, and its inventor, under the bus years ago.

Posted by: frantaylor | July 29, 2009 12:05 PM | Report abuse

Georgetwoner, the Mac keyboard is very reconfigurable. It's your mind set that doesn't seem to be reconfigurable.

Posted by: frantaylor | July 29, 2009 12:10 PM | Report abuse

Many vulnerabilities affect Firefox, and as a long-time Unix guru I can assure you that Mac annd Linux machines are not invulnerable. The only reason they may appear less vulnerable is that, because of their relative rarity, Mac and Linux machines are not targeted by the profit-driven creators of malware.

Microsoft, to whom I have no affiliation or particular affinity, has gotten it remarkably "right," and has been relatively conscientious in keeping it right. The challenges they face in a world where their product is used by millions of people without the slightest clue about computer security and whose computers are connected to a blissfully open Internet are truly daunting. The fact that they release so many security patches is a tribute to their conscientiousness, not a knock on their product.

Mac and Linux (along with Linux's myriad other flavors), on the other hand, tend to appeal exclusively to the small numbers among us who are far more knowledgeable about all matters related to computers, networks and software. It is therefore not targeted by malware because to do so would be a waste of time to those who would do you harm.

But don't be so smug. The very first computer worm affected Unix exclusively, and Linux machines are particularly easy to penetrate -- MUCH easier than Vista boxes -- when you know how to do it - especially since its all open source code which makes it easier to hack! In anycase, Mac machines are always the first machines hacked into by Black Hat, Linux second and surprisingly Vista lasting the longest... Check it out for yourselves...

Mac and Linux machines only have security through obscurity - for the time being.

Posted by: SammyB1 | July 29, 2009 1:00 PM | Report abuse

This is a REALLY horrible problem. Many programs ship with the Microsoft C++ redistributable. You will need to re-run Windows Update after installing ANY software on your machine.

Microsoft is just beyond irresponsible, relying on other software vendors to install THEIR SOFTWARE for them.

Every company that ships Windows software will have to re-release their products due to this bug.

How is Linux "security through obscurity"? The source code to all of Linux is publicly available, and hackers are free to pick over it, looking for bugs. That is hardly "obscurity".

Posted by: frantaylor | July 29, 2009 1:39 PM | Report abuse

To frantaylor <- you are missing the point about "obscurity" - it refers to not as popular. The fact that Linux is open code is a big issue with corporations seeking security in their OS. Mac (Bash) and MS (Windows) were smart to close their code to the public, as some Linux distros are now doing by recompiling Linux into their own brand and securing closing the source code...

Posted by: SammyB1 | July 29, 2009 2:42 PM | Report abuse

Hey SammyB1, Linux has 50% market share on the server, where confidential data for millions of customers is stored on a single server. The temptation and the rewards are SO much greater.

In fact the opposite is true. Systems with open source and many eyes looking at the code are shown time and time again to be more secure than the "closed source" operating systems, where problems like this one fester for years before they are discovered.

Posted by: frantaylor | July 29, 2009 2:48 PM | Report abuse

Hey SammyB1, "bash" is part of Linux, OSX, BSD, Solaris, and many other Open Source operating systems.

And most of OSX is Open Source!!! It is called "Darwin", it is based on BSD, and anyone can download it.

Posted by: frantaylor | July 29, 2009 2:51 PM | Report abuse

"recompiling Linux into their own brand and securing closing the source code..."

It is a copyright violation to do this. Companies that do this have been shut down repeatedly by the FSF and their aggressive lawyers. Anyone who downloads and installs a "closed source" version of Linux is just asking for trouble.

Not only that, it is JUST NOT DONE. Many companies like Amazon, Google, are run almost exclusively on Linux. They do so because of its high security.

Please find a SINGLE instance of data theft from Amazon. You won't find one.

Posted by: frantaylor | July 29, 2009 2:56 PM | Report abuse

Amazon uses MS SQL and MySQL for their backend processing along with MS file servers, MS Exchange mail, MS Office and Windows as corporate standard - not stricly Linux/Unix. Concerning closed source, ask a Novell tech about their offereings based on OpenSUSE...

Posted by: SammyB1 | July 29, 2009 3:10 PM | Report abuse

MySQL is open source too.

Amazon's web servers are the front line of their security defense, and they are Linux machines running apache. Amazon's credit card processing systems are their second line of defense, and they run Linux, too. I know the guy who wrote their credit-card processing system.

Posted by: frantaylor | July 29, 2009 3:13 PM | Report abuse

Amazon does not use SQL databases for the majority of their processing. SQL is too slow for them. Most of their mainline data is stored in Berkeley DB (again, open source) because it is SO much faster than any SQL database.

Posted by: frantaylor | July 29, 2009 3:18 PM | Report abuse

If you know a Windows developer, try to get them on the phone today. Chances are, they will be late to dinner tonight.

This bug is embedded into almost every Windows program that you either purchase or download. You will be vulnerable again after you install software or updates of any other software. You must re-run Windows Update immediately afterward.

Not only that, this bug was replicated in the example code that Microsoft ships. EVERY ActiveX control that was based on this example is also vulnerable.

You will be seeing many, many software updates from many, many companies in the upcoming weeks as they, too, have to update their products to fix this problem.

Posted by: frantaylor | July 29, 2009 3:35 PM | Report abuse

Thanks yet one more time, Brian. The patches were installed in less than three minutes, didn't crash my computer, and didn't offer to install IE 8.

Posted by: JBV1 | July 29, 2009 4:01 PM | Report abuse

I did these downloads yesterday. PC got stuck in logging off. Any of you have the same go on.

Posted by: jr125 | July 29, 2009 4:07 PM | Report abuse

Microsoft has not even updated their own web site with new ActiveX controls. I am having terrible difficulties using Internet Explorer on since I installed the update.

After you install this update, you will be unable to use web sites that have ActiveX controls until the web sites update their software. See in the article above: "it looks for and blocks any attempts to load ActiveX controls developed with the faulty code library"

Posted by: frantaylor | July 29, 2009 4:33 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company