Security conferences trigger early release of Microsoft security patches

Stephen Withers
Wednesday, 29 July 2009 04:23

Business IT - Security

Unfortunately, one of the three ATL vulnerabilities makes it possible to bypass the kill bit mechanism that is supposed to prevent the use of vulnerable ActiveX controls in Internet Explorer. A recent example is the kill bit for the Microsoft Video ActiveX control that was set in this month's Patch Tuesday updates.

An ActiveX control containing an ATL vulnerability could thus be used to activate another control which can be exploited to take over the system.

And that's where the second out of cycle update comes in. An update for Internet Explorer blocks all known ATL vulnerabilities in controls loaded by the browser.

The IE update also introduces - but does not enable - a mechanism that blocks the use of the two interfaces involved in the ATL vulnerabilities. Users or administrators who choose to enable this feature may whitelist particular controls that are known to be safe.

In addition, the update addresses three vulnerabilities that can be exploited by maliciously crafted web pages to execute code with the same rights as the current user.

Available for IE 5, 6, 7 and 8, the update is regarded as critical on Windows 2000, XP and Vista, and moderate on Server 2003 and 2008.

So why did Microsoft rush out updates for vulnerabilities that are apparently not being actively exploited? After all, the active attack on the Microsoft Video ActiveX control had already been blocked by the July Patch Tuesday updates.

According to Jonathan Ness of the Microsoft Security Response Center, "with the Black Hat and Def Con security conference getting people together around the same watering hole, natural curiosity means that risk to customers could increase as more information is disclosed."