Technology news and Jobs arrow VIRTUALISATION arrow Remote code vulnerability in programs built with Visual Studio
Remote code vulnerability in programs built with Visual Studio E-mail
by David M Williams   
Wednesday, 12 August 2009
This week Microsoft pushed out a regular assortment of Windows updates but one in particular caught my eye. It was an important security update for Visual Studio. The description said an attacker could compromise your Windows-based system – with Visual Studio? Actually, no; the truth is worse, when good programs go bad.

Featured Whitepaper

5 Best Practices for Smartphone Support
Microsoft employees could almost claim repetitive strain injury for the amount of times they must copy-and-paste “A security issue has been identified that could allow an attacker to compromise your Windows-based system ... and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.”

No doubt you’ve seen that message even if you don’t make a habit of reading descriptions on all the updates queuing for your system. What makes this one – KB973675 – particularly unexpected is that it is a Visual Studio vulnerability.

Visual Studio is Microsoft’s primary software development environment. It is used to write computer programs in languages like C++, C#, Visual Basic.NET and others.

While it is not uncommon to learn of exploitable vulnerabilities in mail and web servers or other products that are generally exposed to the Internet – like web browsers – it is definitely not common to be told you are putting your system at risk by running a development environment.

The update addresses Microsoft security bulletin MS09-035 with a threat risk of moderate.

It turns out the offending portion is not actually Visual Studio itself – so, no, merely firing up Visual Studio hasn’t become a risky proposition.

Actually, the real problem is worse. The vulnerability is within the Active Template Library (ATL) which is a redistributable package accompanying Visual Studio versions from 2003 through 2005 and 2008.

Programs built within Visual Studio that make use of ATL functionality are all infected with the flaw. Like a river, these programs have been distributed out to computers worldwide. Consequently, while the update is labelled as being for Visual Studio the vulnerability exists in legions of “CorporateApp1” style programs on a desktop near you.

Fortunately, the update may be applied to any Windows-based computer irrespective of whether Visual Studio is installed or not. Enterprise administrators or home users may wish to install this update manually or via using the Microsoft Update service.

Tags See All Tags


David M Williams  Exploit  Microsoft  Programming  Security  Visual Studio  Vulnerability  Windows Update 
Powered By Joomla Tags

Please enable JavaScript in your browser to post your comment!
 
< Next story in category   Previous story in the category >
iTWire user statistics Visitors last 30 days
 694,279
Subscribers 15,210
#1 independent technology news advertise here
  •   *  
  • Search
  • AdvSeach
  • Login
  • Events
  • FreeStuff

- Advertisement -

Featured Whitepapers

...More

Today on iTWireToday on iTWire

Latest news
Follow iTWire on Twitter

About iTWire

iTWire is all about technology news, information, jobs and community for the IT and telecommunications industry professional. Subscribe to our free ICT daily newsletter

iTWire and you

Contact , Register , Links , About iTWire , Feedback , Post your jobs , Events , iTWire site map , Start Blogging , MyBlogLog page , Advertise with iTWire , Subscribe to SMS headlines , White Papers