Remote code vulnerability in programs built with Visual Studio

David M Williams
Wednesday, 12 August 2009 09:26

IT Industry - Development

This week Microsoft pushed out a regular assortment of Windows updates but one in particular caught my eye. It was an important security update for Visual Studio. The description said an attacker could compromise your Windows-based system – with Visual Studio? Actually, no; the truth is worse, when good programs go bad.

Microsoft employees could almost claim repetitive strain injury for the amount of times they must copy-and-paste “A security issue has been identified that could allow an attacker to compromise your Windows-based system ... and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.”

No doubt you’ve seen that message even if you don’t make a habit of reading descriptions on all the updates queuing for your system. What makes this one – KB973675 – particularly unexpected is that it is a Visual Studio vulnerability.

Visual Studio is Microsoft’s primary software development environment. It is used to write computer programs in languages like C++, C#, Visual Basic.NET and others.

While it is not uncommon to learn of exploitable vulnerabilities in mail and web servers or other products that are generally exposed to the Internet – like web browsers – it is definitely not common to be told you are putting your system at risk by running a development environment.

The update addresses Microsoft security bulletin MS09-035 with a threat risk of moderate.

It turns out the offending portion is not actually Visual Studio itself – so, no, merely firing up Visual Studio hasn’t become a risky proposition.

Actually, the real problem is worse. The vulnerability is within the Active Template Library (ATL) which is a redistributable package accompanying Visual Studio versions from 2003 through 2005 and 2008.

Programs built within Visual Studio that make use of ATL functionality are all infected with the flaw. Like a river, these programs have been distributed out to computers worldwide. Consequently, while the update is labelled as being for Visual Studio the vulnerability exists in legions of “CorporateApp1” style programs on a desktop near you.

Fortunately, the update may be applied to any Windows-based computer irrespective of whether Visual Studio is installed or not. Enterprise administrators or home users may wish to install this update manually or via using the Microsoft Update service.