[prev in list] [next in list] [prev in thread] [next in thread] 

List:       patchmanagement
Subject:    Microsoft Security Advisory 973882, Microsoft Security Bulletins MS09-034 and MS09-035 Released
From:       Susan Bradley <sbradcpa () pacbell ! net>
Date:       2009-07-28 17:09:21
Message-ID: 4A6F30C1.1090306 () pacbell ! net
[Download RAW message or body]

The Microsoft Security Response Center (MSRC) : Microsoft Security 
Advisory 973882, Microsoft Security Bulletins MS09-034 and MS09-035 
Released:
http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx


Today, we’re releasing guidance and security updates 
<http://www.microsoft.com/atl> to help better protect customers from 
responsibly reported security vulnerabilities discovered in the 
Microsoft Active Template Library (ATL).

Because libraries function as building blocks that can be used to build 
software, vulnerabilities in software libraries can be complex issues 
and benefit from what we call community based defense – broad 
collaboration and action from Microsoft, the security community and 
industry. Because of this, in addition to the updates and guidance we’re 
releasing today, we’ve been actively engaged with the industry through 
programs like the Microsoft Active Protections Program (MAPP) 
<http://www.microsoft.com/security/msrc/collaboration/mapp.aspx>, 
Microsoft Security Vulnerability Research (MSVR) and working with 
organizations such as Industry Consortium for the Advancement of 
Security on the Internet (ICASI) <http://www.icasi.org/> to provide a 
broad, industry-wide response to help better protect customers. While 
this is a complex issue, we believe a broad, industry-wide response can 
help minimize the impact to customers.

The vulnerability that we addressed with Microsoft Security Bulletin 
MS09-032 
<http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx> was a 
result of this issue. While that issue was attacked before a security 
update was released, that is the only known attack that we’re aware of 
against an issue related to vulnerabilities in the ATL. However, we are 
releasing our guidance and updates outside of our regular monthly 
release cycle because our updates are of appropriate quality for broad 
distribution, we are aware of one attack which was addressed through 
MS09-032, and we believe that there is a greater risk to customer safety 
from broader disclosure of this issue if we wait until our next 
scheduled release on August 11, 2009.

We have focused our efforts on this issue around two main fronts:

1. Helping developers to identify and address instances where the ATL 
vulnerability manifests in their controls or components

2. Mitigating the impact of future attacks on customers

Some of the steps that we’re taking to help developers include:

1. Releasing MS09-035 
<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx> for 
Visual Studio which provides an updated copy of the ATL that developers 
can use to build new controls and components if needed. /It is important 
to note that not all controls built using the vulnerable versions of the 
ATL are vulnerable – this will depend on decisions the developer made 
when building the control or component./

2. Posting a special developer resource page 
<http://msdn.microsoft.com/en-us/library/3ax346b7%28VS.71%29.aspx> with 
detailed information on how developers can identify if their control or 
component is exploitable using the vulnerabilities in the ATL

3. Working with ICASI who is partnering with Verizon Business to offer 
customers a no-charge service that will scan developers’ controls and 
components and provide initial indications if the control or component 
is vulnerable and what potential next steps customers or developers 
should take to modify the control.

4. Working with vendors responsible for widely used controls and 
components through our Microsoft Security Vulnerability Research to help 
them identify and address instances where the ATL vulnerability 
manifests in their controls or components.

5. Reiterating our commitment to third party developers to set 
“killbits” for their ActiveX controls on request in a Microsoft Update.

Some of the steps we’re taking to mitigate the impact of future attacks 
on customers include:

1. Releasing MS09-034 
<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx> for 
Internet Explorer. While Internet Explorer is not itself vulnerable to 
the ATL issue, the IE team has built a defense-in-depth change that can 
help protect against attempts to attack controls or components 
containing the ATL vulnerabilities. More detailed information on how 
this works is provided at the Security Research and Defense blog 
<http://blogs.technet.com/srd/>. This update also addresses an issue 
where attackers can attempt to bypass the “killbit” protections in IE. 
Finally, this update also addresses three unrelated, responsibly 
disclosed vulnerabilities.

2. Providing information to our MAPP partners to help ensure security 
protection providers have key technical information to help them build 
protections for customers more quickly.

3. Committing to set “killbits” in a Microsoft Update for vulnerable 
third-party ActiveX controls identified as vulnerable or under attack 
when no vendor can be identified.

Home Users and IT Pros should go ahead deploy the IE update, MS09-034 
<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx> so 
they can benefit from the protections it introduces. Additionally, 
Internet Explorer 8 provides additional security enhancements that can 
further lessen the impact of this issue. There’s more details on that at 
the Security Research and Defense blog <http://blogs.technet.com/srd/>. 
Also, enabling automatic updates for third-party software (where 
available) may help you get the latest updates for those products.

Developers should take the same steps as home users and IT Pros but 
should also review the information we’ve provided to help you determine 
if the ATL vulnerability manifests in your component or control. 
Additionally, you should consider using the service offered by ICASI who 
is partnering with Verizon Business to identify any components or 
controls that are vulnerable.

Because we know folk will have additional questions, we’ve posted 
additional information on our security blogs. Our colleagues at the 
Security Research and Defense blog <http://blogs.technet.com/srd/> have 
several posts related to this that Jonathan Ness points to in his 
overview post. Michael Howard over at the SDL blog 
<http://blogs.msdn.com/sdl/> has one going into some more detail around 
the actual underlying issue. And, finally, Ryan Smith, Mark Dowd and 
David Dewey, the security researchers who brought this issue to us, 
discuss their work on the issue with us over at the BlueHat blog 
<http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx>.


Our worldwide security teams have been mobilized working around the 
clock to deliver these protections to customers and we will be 
continuing to watch the threat landscape closely. We will work closely 
with our partners in the industry and notify customers with any new 
information about this situation through our security advisory and the 
MSRC weblog <http://blogs.technet.com/msrc>.

Thanks.

Christopher




---
When posting or replying to messages on this list, please send all
emails in plain text format.  HTML formatted messages will not be accepted.

PatchManagement.org is hosted by Shavlik Technologies

To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org


[prev in list] [next in list] [prev in thread] [next in thread]