Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
Version: 1.0
Microsoft is releasing this security
advisory to provide information about our ongoing investigation into
vulnerabilities in the public and private versions of Microsoft's
Active Template Library (ATL). This advisory also provides guidance as
to what developers can do to help ensure that the controls and
components they have built are not vulnerable to the ATL issues; what
IT Professionals and consumers can do to mitigate potential attacks
that use the vulnerabilities; and what Microsoft is doing as part of
its ongoing investigation into the issue described in this advisory.
This security advisory will also provide a comprehensive listing of all
Microsoft Security Bulletins and Security Updates related to the
vulnerabilities in ATL. Microsoft's investigation into the private and
public versions of ATL is ongoing, and we will release security updates
and guidance as appropriate as part of the investigation process.
Microsoft
is aware of security vulnerabilities in the public and private versions
of ATL. The Microsoft ATL is used by software developers to create
controls or components for the Windows platform. The vulnerabilities
described in this Security Advisory and Microsoft Security Bulletin MS09-035
could result in information disclosure or remote code execution attacks
for controls and components built using vulnerable versions of the ATL.
Components and controls created with the vulnerable version of ATL may
be exposed to a vulnerable condition due to how ATL is used or due to
issues in the ATL code itself.
Developer Guidance: Microsoft has corrected the issues in the public headers of ATL and released updates to the libraries in bulletin MS09-035
"Vulnerabilities in Visual Studio Active Template Library Could Allow
Remote Code Execution." Microsoft strongly recommends that developers
who have built controls or components with ATL take immediate action to
evaluate their controls for exposure to a vulnerable condition and
follow the guidance provided to create controls and components that are
not vulnerable. For more information on the vulnerabilities and
guidance to address issues in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."
IT Professional and Consumer Guidance:
To help better protect customers while developers update their
components and controls, Microsoft has developed a new defense-in-depth
technology. This new defense-in-depth technology built into Internet
Explorer helps to protect customers from future attacks using the
Microsoft Active Template Library vulnerabilities described in this
Advisory and Microsoft Security Bulletin MS09-035. To benefit from this
new defense-in-depth technology, IT Professionals and consumers should
immediately deploy the Internet Explorer Security Update offered in
Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer."
This
security update includes a mitigation that prevents components and
controls built using the vulnerable ATL from being exploited in
Internet Explorer, as well as addressing multiple unrelated
vulnerabilities. The new defense-in-depth protections offered in
MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6
and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and
Internet Explorer 8. These defense-in-depth protections monitor and
help prevent the successful exploitation of all known public and
private ATL vulnerabilities, including the vulnerabilities that could
lead to bypassing ActiveX's kill bit security feature. These
protections are designed to help protect customers from Web-based
attacks.
Home User Guidance: To help better protect
customers while developers update their components and controls,
Microsoft has developed a new defense-in-depth technology.This new
defense-in-depth technology built into Internet Explorer with the new
update helps to protect customers from future attacks using the
Microsoft Active Template Library vulnerabilities described in this
Advisory and Microsoft Security Bulletin MS09-035. Home users signed up
for Automatic Updates will receive the new Internet Explorer update
automatically and do not have to take any further action. Home Users
will automatically be better protected from future attacks against the
vulnerabilities addressed in this Security Advisory and in Microsoft
Security Bulletin MS09-035.
Mitigating Factors for Controls and Components built using vulnerable version of Microsoft's Active Template Library (ATL):
| • | By
default, the majority of ActiveX controls are not included in the
default allow-list for ActiveX controls in Internet Explorer 7 or
Internet Explorer 8 running on Windows Vista or later operating
systems. Only customers who have explicitly approved vulnerable
controls by using the ActiveX opt-in feature are at risk to attempts to
exploit this vulnerability. However, if a customer has used such
ActiveX controls in a previous version of Internet Explorer, and then
later upgraded to Internet Explorer 7 or Internet Explorer 8, then
these ActiveX controls are enabled to work in Internet Explorer 7 and
Internet Explorer 8, even if the customer has not explicitly approved
it using the ActiveX opt-in feature. |
| • | By
default, Internet Explorer 8 offers enhanced protections by enabling
DEP/NX memory protections for users on Windows XP Service Pack 3,
Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and
Windows 7. |
| • | By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration.
Enhanced Security Configuration is a group of preconfigured settings in
Internet Explorer that can reduce the likelihood of a user or
administrator downloading and running specially crafted Web content on
a server. This is a mitigating factor for Web sites that you have not
added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration. |
| • | By
default, all supported versions of Microsoft Outlook and Microsoft
Outlook Express open HTML e-mail messages in the Restricted sites zone.
The Restricted sites zone helps mitigate attacks that could try to
exploit this vulnerability by preventing Active Scripting and ActiveX
controls from being used when reading HTML e-mail messages. However, if
a user clicks a link in an e-mail message, the user could still be
vulnerable to exploitation of this vulnerability through the Web-based
attack scenario. |
| • | In
a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however,
an attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to persuade users to visit the Web
site, typically by getting them to click a link in an e-mail message or
instant messenger message that takes users to the attacker's Web site. |
| • | An
attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights. |
Updates related to ATL:
Updates released on July 28, 2009
| • | Microsoft Security Bulletin MS09-035,
"Vulnerabilities in Visual Studio Active Template Library Could Allow
Remote Code Execution," goes into further detail about the specific
vulnerabilities in ATL and provides the updated public ATL headers for
vendors to develop updated components and controls. Our investigation
has shown that there are Microsoft and third-party components and
controls that are affected by this issue and that these components and
controls exist on all supported editions of Windows 2000 Service Pack
4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server
2008. Developers who used vulnerable versions of the ATL when building
controls or components should review this bulletin and take immediate
action if their controls are vulnerable. |
| • | Microsoft Security Bulletin MS09-034,
"Cumulative Security Update for Internet Explorer," includes a
mitigation that prevents components and controls built using the
vulnerable ATL from being exploited in Internet Explorer, as well as
addressing multiple unrelated vulnerabilities. The new defense in depth
protections offered in MS09-034 include updates to Internet Explorer
5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1,
Internet Explorer 7, and Internet Explorer 8. These defense-in-depth
protections monitor and help prevent the successful exploitation of all
known public and private ATL vulnerabilities, including the
vulnerabilities that could lead to bypassing ActiveX's kill bit
security feature. These protections are designed to help protect
customers from Web-based attacks. |
| • | We
are not aware of any methods or controls included with Windows 7 that
would allow attacks to be successful through Internet Explorer. |
Update released on July 14, 2009
| • | Microsoft Security Bulletin MS09-032,
"Cumulative Security Update of ActiveX Kill Bits," provided ActiveX
security measures (a kill bit) that prevented the msvidctl control from
running in Internet Explorer. The exploit in msvidcntl took advantage
of a vulnerability in the private version of ATL. In this specific
instance, the vulnerability allows an attacker to corrupt memory, which
may lead to a remote code execution. The kill bits issued in the June
release for msvidctl (MS09-032) will block the public exploits as
described here. |
To read more about this security alert.......
Microsoft Security Alert (973882)
Founder & CEO, Ntirety
www.ntirety.com
My Personal Twitter Account: Michael_Corey
Ntirety Corporate Twitter Account: Ntirety