Microsoft Security Advisory (973882)

Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution

 

Version: 1.0

Microsoft is releasing this security advisory to provide information about our ongoing investigation into vulnerabilities in the public and private versions of Microsoft’s Active Template Library (ATL). This advisory also provides guidance as to what developers can do to help ensure that the controls and components they have built are not vulnerable to the ATL issues; what IT Professionals and consumers can do to mitigate potential attacks that use the vulnerabilities; and what Microsoft is doing as part of its ongoing investigation into the issue described in this advisory. This security advisory will also provide a comprehensive listing of all Microsoft Security Bulletins and Security Updates related to the vulnerabilities in ATL. Microsoft’s investigation into the private and public versions of ATL is ongoing, and we will release security updates and guidance as appropriate as part of the investigation process.

Microsoft is aware of security vulnerabilities in the public and private versions of ATL. The Microsoft ATL is used by software developers to create controls or components for the Windows platform. The vulnerabilities described in this Security Advisory and Microsoft Security Bulletin MS09-035 could result in information disclosure or remote code execution attacks for controls and components built using vulnerable versions of the ATL. Components and controls created with the vulnerable version of ATL may be exposed to a vulnerable condition due to how ATL is used or due to issues in the ATL code itself.

Developer Guidance: Microsoft has corrected the issues in the public headers of ATL and released updates to the libraries in bulletin MS09-035 “Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution.” Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable. For more information on the vulnerabilities and guidance to address issues in ATL, see MS09-035, “Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution.”

IT Professional and Consumer Guidance: To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and Microsoft Security Bulletin MS09-035. To benefit from this new defense-in-depth technology, IT Professionals and consumers should immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, “Cumulative Security Update for Internet Explorer.”

This security update includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense-in-depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. These defense-in-depth protections monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX’s kill bit security feature. These protections are designed to help protect customers from Web-based attacks.

Home User Guidance: To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology.This new defense-in-depth technology built into Internet Explorer with the new update helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and Microsoft Security Bulletin MS09-035. Home users signed up for Automatic Updates will receive the new Internet Explorer update automatically and do not have to take any further action. Home Users will automatically be better protected from future attacks against the vulnerabilities addressed in this Security Advisory and in Microsoft Security Bulletin MS09-035.

Mitigating Factors for Controls and Components built using vulnerable version of Microsoft’s Active Template Library (ATL):

By default, the majority of ActiveX controls are not included in the default allow-list for ActiveX controls in Internet Explorer 7 or Internet Explorer 8 running on Windows Vista or later operating systems. Only customers who have explicitly approved vulnerable controls by using the ActiveX opt-in feature are at risk to attempts to exploit this vulnerability. However, if a customer has used such ActiveX controls in a previous version of Internet Explorer, and then later upgraded to Internet Explorer 7 or Internet Explorer 8, then these ActiveX controls are enabled to work in Internet Explorer 7 and Internet Explorer 8, even if the customer has not explicitly approved it using the ActiveX opt-in feature.

By default, Internet Explorer 8 offers enhanced protections by enabling DEP/NX memory protections for users on Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows 7.

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker’s Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Updates related to ATL:

Updates released on July 28, 2009

Microsoft Security Bulletin MS09-035, “Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution,” goes into further detail about the specific vulnerabilities in ATL and provides the updated public ATL headers for vendors to develop updated components and controls. Our investigation has shown that there are Microsoft and third-party components and controls that are affected by this issue and that these components and controls exist on all supported editions of Windows 2000 Service Pack 4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Developers who used vulnerable versions of the ATL when building controls or components should review this bulletin and take immediate action if their controls are vulnerable.

Microsoft Security Bulletin MS09-034, “Cumulative Security Update for Internet Explorer,” includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. These defense-in-depth protections monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX’s kill bit security feature. These protections are designed to help protect customers from Web-based attacks.

We are not aware of any methods or controls included with Windows 7 that would allow attacks to be successful through Internet Explorer.

Update released on July 14, 2009

Microsoft Security Bulletin MS09-032, “Cumulative Security Update of ActiveX Kill Bits,” provided ActiveX security measures (a kill bit) that prevented the msvidctl control from running in Internet Explorer. The exploit in msvidcntl took advantage of a vulnerability in the private version of ATL. In this specific instance, the vulnerability allows an attacker to corrupt memory, which may lead to a remote code execution. The kill bits issued in the June release for msvidctl (MS09-032) will block the public exploits as described here.

To read more about this security alert……. Microsoft Security Alert (973882)

Founder & CEO, Ntirety

www.ntirety.com

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.