July Out of Band Security Release

Microsoft released two out of band security bulletins today – one Internet Explorer bulletin and one Visual Studio bulletin.  The IE issue is rated Critical and the Visual Studio patch is rated Moderate.

Shavlik recommends installing the IE patch as soon as possible as it helps protect against a flaw being demonstrated at Blackhat tomorrow (Wednesday) that might allow an attacker to bypass the killbits that were set to protect a machine against unsafe ActiveX controls.  Failing to patch for this issue is like purposely uninstalling 8 prior IE patches – not something you want to do.  Patch this one right away.


Some years ago, a flaw was introduced in the development tools maintained by Microsoft.  This flaw was in a ‘template’ that helps developers create ActiveX controls.  Any control built using this flawed template might be exposed to the security vulnerabilities discussed in today’s bulletins.

To address these flaws, Microsoft has released two types of patches – one for IE and one for Visual Studio.  The Visual  Studio patch (MS09-035) corrects the flawed template (active template library or ATL) so that any controls built from this template going forward will be safe.  The Internet Explorer patch (MS09-034) monitors all calls to ActiveX controls and prevents controls from executing that are found to have been developed with the flawed template and that are attempting to execute vulnerabilities in that template.

One such example of a vulnerable control built from the flawed template was the Video control issue discussed earlier this month and addressed in MS09-032.  The Video control had been built from the flawed template library – it was this vulnerability that was being exploited in the wild that lead to the security advisory, MS09-032, and eventually the death of this control.

Killing a control typically means setting a ‘killbit’ on the control.  When the killbit is set, it means IE won’t launch the control – thus keeping your machine safe. To date, Microsoft has issued 175 killbits via their cumulative killbit patches. (for more information on these 175 killbits, see my analysis at http://ericsblog.shavlik.com/2009/07/27/activex-killbits/).  However, some security researchers found that they were able to bypass the killbit function and still execute certain controls.  A presentation on how this is done is slated for tomorrow afternoon (Wed, July 29th 2009) at the Blackhat Conference.  The researchers found that the same ATL flaws we were talking about earlier allowed them to bypass the killbit on controls that were built with the flawed templates.  IOW, if you installed MS09-032 to protect yourself from the Video control exploit, there is a chance that someone could still execute this attack against you because they bypassed the killbits set in the 09-032 patch.

The MS09-034 patch protects against the killbit bypass problem.  The 09-035 patch also addresses the killbit issue plus two other issues in the template library: one was an information disclosure issue and the other was a remote code execution flaw.

The MS09-034 patch also includes fixes for three other remote code execution vulnerabilities in Internet Explorer.  These fixes were already coded and were slated to be released in the August patch cycle – however, due to the expedited IE patch for the ATL-Killbit issue, these three fixes were included in the out of band release.

The IE patch includes severity ratings for the three remote code execution flaws – rated as Critical on some versions of IE and Moderate on others.  The 09-034 IE patch does NOT include severity ratings for the defense in depth changes that Microsoft implemented to protect against the vulnerable ActiveX controls.  Even though some systems may only be rated as Moderate wrt the IE patch, Microsoft encourages customers to install the IE patch as soon as possible as it does include the protections for the ATL and killbit bypass issues discussed above.


2 Responses so far »

  1. 1

    David said,


    You should consider to use another font color on your text with more contrast, this is quite hard to read.

    BTW good blog.


  2. 2

    ericschu said,

    Thanks David,

    This is a new blog site for us and we’re still working out the kinks in the CSS. I’ll ask that the web team take a look at this. Glad you appreciate the content.

Comment RSS · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: