Michael Corey's Database Virtualization/Database Administration as a Service® Blog
Posted on Wed, Jul 29, 2009 @ 09:48 AM
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution Version: 1.0 Microsoft is releasing this security
advisory to provide information about our ongoing investigation into
vulnerabilities in the public and private versions of Microsoft's
Active Template Library (ATL). This advisory also provides guidance as
to what developers can do to help ensure that the controls and
components they have built are not vulnerable to the ATL issues; what
IT Professionals and consumers can do to mitigate potential attacks
that use the vulnerabilities; and what Microsoft is doing as part of
its ongoing investigation into the issue described in this advisory.
This security advisory will also provide a comprehensive listing of all
Microsoft Security Bulletins and Security Updates related to the
vulnerabilities in ATL. Microsoft's investigation into the private and
public versions of ATL is ongoing, and we will release security updates
and guidance as appropriate as part of the investigation process. Microsoft
is aware of security vulnerabilities in the public and private versions
of ATL. The Microsoft ATL is used by software developers to create
controls or components for the Windows platform. The vulnerabilities
described in this Security Advisory and Microsoft Security Bulletin MS09-035
could result in information disclosure or remote code execution attacks
for controls and components built using vulnerable versions of the ATL.
Components and controls created with the vulnerable version of ATL may
be exposed to a vulnerable condition due to how ATL is used or due to
issues in the ATL code itself. Developer Guidance: Microsoft has corrected the issues in the public headers of ATL and released updates to the libraries in bulletin MS09-035
"Vulnerabilities in Visual Studio Active Template Library Could Allow
Remote Code Execution." Microsoft strongly recommends that developers
who have built controls or components with ATL take immediate action to
evaluate their controls for exposure to a vulnerable condition and
follow the guidance provided to create controls and components that are
not vulnerable. For more information on the vulnerabilities and
guidance to address issues in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution." IT Professional and Consumer Guidance:
To help better protect customers while developers update their
components and controls, Microsoft has developed a new defense-in-depth
technology. This new defense-in-depth technology built into Internet
Explorer helps to protect customers from future attacks using the
Microsoft Active Template Library vulnerabilities described in this
Advisory and Microsoft Security Bulletin MS09-035. To benefit from this
new defense-in-depth technology, IT Professionals and consumers should
immediately deploy the Internet Explorer Security Update offered in
Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer." This
security update includes a mitigation that prevents components and
controls built using the vulnerable ATL from being exploited in
Internet Explorer, as well as addressing multiple unrelated
vulnerabilities. The new defense-in-depth protections offered in
MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6
and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and
Internet Explorer 8. These defense-in-depth protections monitor and
help prevent the successful exploitation of all known public and
private ATL vulnerabilities, including the vulnerabilities that could
lead to bypassing ActiveX's kill bit security feature. These
protections are designed to help protect customers from Web-based
attacks. Home User Guidance: To help better protect
customers while developers update their components and controls,
Microsoft has developed a new defense-in-depth technology.This new
defense-in-depth technology built into Internet Explorer with the new
update helps to protect customers from future attacks using the
Microsoft Active Template Library vulnerabilities described in this
Advisory and Microsoft Security Bulletin MS09-035. Home users signed up
for Automatic Updates will receive the new Internet Explorer update
automatically and do not have to take any further action. Home Users
will automatically be better protected from future attacks against the
vulnerabilities addressed in this Security Advisory and in Microsoft
Security Bulletin MS09-035. Mitigating Factors for Controls and Components built using vulnerable version of Microsoft's Active Template Library (ATL): | • | By
default, the majority of ActiveX controls are not included in the
default allow-list for ActiveX controls in Internet Explorer 7 or
Internet Explorer 8 running on Windows Vista or later operating
systems. Only customers who have explicitly approved vulnerable
controls by using the ActiveX opt-in feature are at risk to attempts to
exploit this vulnerability. However, if a customer has used such
ActiveX controls in a previous version of Internet Explorer, and then
later upgraded to Internet Explorer 7 or Internet Explorer 8, then
these ActiveX controls are enabled to work in Internet Explorer 7 and
Internet Explorer 8, even if the customer has not explicitly approved
it using the ActiveX opt-in feature. | | • | By
default, Internet Explorer 8 offers enhanced protections by enabling
DEP/NX memory protections for users on Windows XP Service Pack 3,
Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and
Windows 7. | | • | By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration.
Enhanced Security Configuration is a group of preconfigured settings in
Internet Explorer that can reduce the likelihood of a user or
administrator downloading and running specially crafted Web content on
a server. This is a mitigating factor for Web sites that you have not
added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration. | | • | By
default, all supported versions of Microsoft Outlook and Microsoft
Outlook Express open HTML e-mail messages in the Restricted sites zone.
The Restricted sites zone helps mitigate attacks that could try to
exploit this vulnerability by preventing Active Scripting and ActiveX
controls from being used when reading HTML e-mail messages. However, if
a user clicks a link in an e-mail message, the user could still be
vulnerable to exploitation of this vulnerability through the Web-based
attack scenario. | | • | In
a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however,
an attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to persuade users to visit the Web
site, typically by getting them to click a link in an e-mail message or
instant messenger message that takes users to the attacker's Web site. | | • | An
attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights. |
Updates related to ATL: Updates released on July 28, 2009 | • | Microsoft Security Bulletin MS09-035,
"Vulnerabilities in Visual Studio Active Template Library Could Allow
Remote Code Execution," goes into further detail about the specific
vulnerabilities in ATL and provides the updated public ATL headers for
vendors to develop updated components and controls. Our investigation
has shown that there are Microsoft and third-party components and
controls that are affected by this issue and that these components and
controls exist on all supported editions of Windows 2000 Service Pack
4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server
2008. Developers who used vulnerable versions of the ATL when building
controls or components should review this bulletin and take immediate
action if their controls are vulnerable. | | • | Microsoft Security Bulletin MS09-034,
"Cumulative Security Update for Internet Explorer," includes a
mitigation that prevents components and controls built using the
vulnerable ATL from being exploited in Internet Explorer, as well as
addressing multiple unrelated vulnerabilities. The new defense in depth
protections offered in MS09-034 include updates to Internet Explorer
5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1,
Internet Explorer 7, and Internet Explorer 8. These defense-in-depth
protections monitor and help prevent the successful exploitation of all
known public and private ATL vulnerabilities, including the
vulnerabilities that could lead to bypassing ActiveX's kill bit
security feature. These protections are designed to help protect
customers from Web-based attacks. | | • | We
are not aware of any methods or controls included with Windows 7 that
would allow attacks to be successful through Internet Explorer. |
Update released on July 14, 2009 | • | Microsoft Security Bulletin MS09-032,
"Cumulative Security Update of ActiveX Kill Bits," provided ActiveX
security measures (a kill bit) that prevented the msvidctl control from
running in Internet Explorer. The exploit in msvidcntl took advantage
of a vulnerability in the private version of ATL. In this specific
instance, the vulnerability allows an attacker to corrupt memory, which
may lead to a remote code execution. The kill bits issued in the June
release for msvidctl (MS09-032) will block the public exploits as
described here. |
To read more about this security alert.......
Microsoft Security Alert (973882)
Founder & CEO, Ntirety www.ntirety.com My Personal Twitter Account: Michael_Corey
Ntirety Corporate Twitter Account: Ntirety
Posted on Sat, Jul 25, 2009 @ 08:14 AM
When I saw this, I just could not believe it. A 40% Price increase in this business climate. Give it a break. It is no wonder Microsoft SQL Server is the fastest growing database in the Market.
Since SQL Server 2005 Microsoft has given us a database that can keep up with Oracle at all levels. When it comes to price performance there is no competition, Microsoft SQL server wins hands down. 
Well leave it to Oracle to give is a 40% increase in the worst economy in over 40 years.
Well here is the article that caught my attention…..
Founder & CEO, Ntirety www.ntirety.com My Personal Twitter Account: Michael_Corey
Ntirety Corporate Twitter Account: Ntirety
Posted on Sun, Jul 19, 2009 @ 06:59 PM
I was on the DBA Twibe. Twitter DBA Twibe when I saw this tweet from craigmullins. It was reference to an article on the End of Sun. The article was really well done. Here is the opening of the article: "At 10:05 a.m. Pacific time today, Sun Microsystems' fate was sealed. At
that exact moment, shareholder voting closed, and the motion to accept
the acquisition offer from Oracle was approved. There was little
fanfare. Jonathan Schwartz, Sun's CEO, and Scott McNealy, its chairman,
were both absent. Schwartz was said to be sick. I can't help but think
it was psychosomatic." To read the entire article in SDTIMES by
by Alex Handy The End of SUN Founder & CEO, Ntirety www.ntirety.com My Personal Twitter Account: Michael_Corey
Ntirety Corporate Twitter Account: Ntirety
Posted on Wed, Jul 15, 2009 @ 09:23 PM
Posted on Thu, Jul 09, 2009 @ 09:50 PM
On July 7th, I wrote a SQL Server DBA Tip. It was how to get a copy of the SQL Server documentation. Surachart Opun a friend of mine in the oracle world reminded me of the oracle online documentation and how to get it. I remember once hearing that Albert Einstein did not remember his own phone number because he did not want to clutter his brain with things he could look up when he needed them. 
Having access Database Documentation is a valuable resource for any DBA. Oracle Documentation
This
page contains links to the most current documentation for Oracle
Database, Application Server, Developer Suite, Collaboration Suite and
Applications/E-Business Suite. Online Oracle Documenation Set Founder & CEO, Ntirety www.ntirety.com My Personal Twitter Account: Michael_Corey
Ntirety Corporate Twitter Account: Ntirety
Posted on Tue, Jul 07, 2009 @ 01:27 PM
This July 4th I was able to be in Washington DC for the festivities. Being from Boston, which is a city that celebrates July 4th in a big way, I was not sure if anything would ever top a celebration like the ones I have experienced growing up. Being in our nations capital during July 4th was simply amazing. It is something everyone in the United States should put in their Bucket List and do before they die. 
I started off July 3rd taking the time to see all the national monuments. It was a perfect day to see them. The weather was hot but not too hot. The words “Freedom is not free” still echo in my mind. As Americans we enjoy a level of freedom that is unheard of in a good part of the world. As I walked through the any monuments, The Korean War, World War II Monument to the Vietnam memorial I can still see the words “Freedom is not Free” ring in my head.
As I listened the man tell the story of the Vietnam memorial and what happened to get it built, I was taken away. I remember as kid seeing the war on the TV. I remember the body count. I remember how close my older brother came to going. This was a war that tore the united states in two.
So when it was decided to build the Vietnam memorial great steps were taken to take controversy out of it. None of the judges were Vietnam Vets. The judges had to do a blind selection. Great steps were taken to avoid any controversy yet what did we get huge controversy. The judges all settled in the same design. It was by Maya Yimg Lin born of Chinese descent. Her parents fled china in 1949 when Mao-Tse-tung took control of China. The idea of a person of Chinese descent designing the Memorial did not go down well with many vets. Even though her design was chosen, it had to be defended. She had to go to congress herself and defend her design to get it built.
The names are presented in chronological order starting in the middle. So that the last soldier in the war meets the first soldier. It’s in black granite so that you see your own reflection when looking at the wall. I could go on and on. Suffice to say Freedom is not free.
On July 4th, we went to the opening ceremony. Which starts with a reading of the Declaration of Independence. It was a perfect way to start my July 4th. The Ceremony took place outside the home of the Declaration of Independence at The National Archives. We then stayed for the parade. What really struck me in the parade was how diverse a group we are. A comment that was made during the presentation was how when you become an American Citizen you are immediately granted the same rights and privileges of every American citizen. Except for being president of the United States, there is no limit. Only a natural born citizen can become president.
We took a stop at the Whitehouse. Our timing was perfect we were there when President Obama and family were returning. We also spent some time in the many National Museums, We ended the day seeing the fireworks they were the best fireworks I have ever seen.
The next day, my friend who serves in the Army gave us a tour of the Pentagon. It was great trip. It made me feel proud to be an American. Yet the words Freedom is not free keeps echoing in my head. 
Founder & CEO, Ntirety www.ntirety.com My Personal Twitter Account: Michael_Corey
Ntirety Corporate Twitter Account: Ntirety
Posted on Tue, Jul 07, 2009 @ 10:54 AM
I was in the office today and we are doing some training. The DBA’s were swapping best practices. One of the senior SQL Server DBA’s made the comment, “I use my SQL Server Books Online each and every day”.
When I heard that comment I thought it made sense to share it. So I asked the person to send me the link. Here are the links so you can have you very own copy of the SQL Server documentation. 
Here is a brief description:
Download Books Online for Microsoft SQL Server 2008, the primary documentation for SQL Server 2008. Books Online includes the following types of information:
* Setup and upgrade instructions.
* Information about new features and backward compatibility.
* Conceptual descriptions of the technologies and features in SQL Server 2008.
* Procedural topics describing how to use the various features in SQL Server 2008.
* Tutorials that guide you through common tasks.
* Reference documentation for the graphical tools, command prompt utilities, programming languages, and application programming interfaces (APIs) that are supported by SQL Server 2008.
Now the important part, the links....
SQL Server 2008 Books Online Link...
SQL Server 2008 Books Online
SQL Server 2005 Books Online Link..
SQL Server 2005 Books Online
Founder & CEO, Ntirety www.ntirety.com My Personal Twitter Account: Michael_Corey
Ntirety Corporate Twitter Account: Ntirety
All Posts
Error sending email
Email sent successfully
|