Security conferences trigger early release of Microsoft security patches

Stephen Withers
Wednesday, 29 July 2009 04:23

Business IT - Security

Rather than wait for August's Patch Tuesday, Microsoft has rushed out a pair of security bulletins ahead of the Black Hat and Defcon security conferences.

The out of cycle updates cover Visual Studio and Internet Explorer.

The core of the problem lies in the Microsoft Active Template Library (ATL) distributed with Visual Studio.

Visual Studio itself is not vulnerable, but controls and components built in Visual Studio using the ATL may be, depending on decisions made by the developer concerned.

According to Microsoft officials, the security impact of the vulnerabilities in affected applications would be critical or moderate as they provide an opportunity for remote code execution.

Updates are available for Visual Studio .NET 2003; Visual Studio 2005 and 2008; and the Visual C++ 2005 and 2008 Redistributable Packages.

It is up to developers to create and distribute new versions of software that use the ATL. Among the resources Microsoft is offering to developers is a flow chart to help determine whether a particular ActiveX control is vulnerable.

Microsoft has been working with the developers of widely used ActiveX controls to help them identify vulnerable items. The company has also reminded developers that it will set kill bits for their controls on request as part of a Microsoft Update.

Kill bits will also be set in this way for vulnerable controls that are under attack if their vendor cannot be identified.

What about Internet Explorer? See page 2.