Microsoft issues emergency patch for IE

Microsoft issues emergency patch for IE

Summary: Microsoft released an emergency patch to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other web application components that has been targeted in attacks.

Microsoft released an emergency patch on Tuesday to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other web application components that has been targeted in attacks.

A critical patch for all versions of IE will protect consumers, while a security update for Visual Studio will help developers fix the controls and components they built that could be affected.

Microsoft also has had discussions with Adobe, Sun and Google about some components involving their software that are affected, said Mike Reavey, director of the Microsoft Security Response Center. He declined to elaborate.

Internet Explorer users running Flash Player and Shockwave Player are vulnerable, Adobe said in a blog post that contains links to the Adobe security bulletins for those products.

A Google representative said the company has been working with Microsoft on the issues but declined to comment further. And a Sun representative did not respond to a call seeking comment.

Cisco will release free software updates for any of its software that is affected by the vulnerability and is making available workarounds that mitigate the issue, the company said in a detailed advisory.

The company released two security updates that deal with a vulnerability in Microsoft's Active Template Library, which is used to build components for web applications and which could be targeted to take control of the computers of web surfers visiting sites hosting malicious code.

The critical update, MS-09034, is targeted at IE users. The other update, MS-09035, is targeted at Visual Studio developers, and is rated moderate. It affects Visual Studio 2005 and 2008.

"A library can get used in a lot of places, and vulnerabilities in libraries are challenging," Reavey said. "It's an industry-wide problem when [vulnerabilities] do happen."

"The vulnerability is in the controls, not IE; however, to provide protections while developers update the controls, IE (versions that are patched will block attacks)," he said.

The company warned on Friday that a security update would come on Tuesday instead of waiting for the next Patch Tuesday cycle on 11 August. This is only the ninth out-of-band release Microsoft has had, according to Reavey.

Microsoft first warned about the ActiveX issue on July 6, saying a vulnerability in its Video ActiveX Control could allow an attacker to take control of a PC if the user visits a malicious website and attackers were exploiting the hole. The company offered a workaround for the issue.

During the July Patch Tuesday release the following week, Microsoft still did not have a patch ready and was recommending a manual 'kill bit' method to disable ActiveX, or sending customers to a 'Fix it for me' website.

However, researchers figured out a way to get around the kill bit protection mechanism, thus rendering it ineffective and exposing the system to attack, said Eric Schultze, chief technology officer at Shavlik Technologies.

"Some security researchers found that they were able to bypass the kill bit function and still execute certain controls," Schultze said in a statement on Tuesday. "A presentation on how this is done is slated for tomorrow afternoon at the Black Hat Conference [in Las Vegas]."

Reavey said: "We were aware of limited attacks on the Microsoft kill bit control where the underlying issue was this vulnerability. As a result of those attacks we released the bulletin to protect customers...but that created chatter. We saw more details released and we had these updates ready so we released them now instead of waiting for [attacks] to get worse."

The IE patch also resolves three privately reported vulnerabilities that could allow remote code execution if a user views a specially crafted web page using the browser.

Tyler Reguly, senior security researcher for nCircle, criticised Microsoft for not fixing the underlying issue with a proper patch and said the update could put other software vendors at risk.

"Although Microsoft has protected against the kill bit bypass and has patched the public ATL vulnerabilities, there has been no mention or reference to fixing the issue in msvidctl.dll itself," he wrote in a statement.

"One has to question what the release of the ATL patch means for other software vendors," Reguly added. "We also have to wonder if they are now more vulnerable than they were previously. They now have to obtain this patch and recompile and release their tools.

"This means until that process can occur, malicious individuals can reverse the patches to pinpoint each of the vulnerabilities and target third-party software. It's a race to see who will get there first, and the vendors didn't get a head start."

In response, a Microsoft representative provided this comment: "As part of our overall response to the ATL issue, we are continuing our investigation for Microsoft components and controls that may be affected by the ATL issue and will update customers as appropriate throughout the process."

More information about the vulnerabilities and fixes in Microsoft advisory 973882 are available on the TechNet site.

This article was originally posted on CNET News.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It says piblished yesterday but it just showed today

    strange but, I just got the patch today. It was on Windows Update as of midnight when I checked before going to bed.

    As of 10am it is strange.
  • RE: Microsoft issues emergency patch for IE

    At least it's patched, has Apple patched the iPhone yet?
    • Hmmm.....

      What is wrong with the iPhone?
  • RE: Microsoft issues emergency patch for IE

    Pick up the Trojan Horse day before yesterday and used the patch this AM. Virus all gone and everything is working fine. Save me a new computer. I was going to do what thought for Win 7 and the virus caught me just before I started clean up. Yeah for MSN.
  • Last Big Update For IE 7

    Hope it works better this time. Last time a got like 7 updates for IE 7 I think it was around June 10. My computer kept locking up after installing them. I couldn't work it out on my own so I contacted MS and they said to reset to default on the brower. That worked then but I just installed the new cumulative update. We'll see.
  • RE: Microsoft issues emergency patch for IE

    Until Microsoft kills IE the internet cannot move forwared.
    How long is it going to take them to get html 5 and pass the
    acid test 100% in IE 8? IE 6 needs to no longer supported and
    IE 7 should be close behind.
    • Now THAT's Power!

      "...the internet cannot move forwared[sic]"??

      Has anyone notified Al Gore about this?.
  • No problems installing patch

    Installed smooth as silk.
    • IE fix

      It was so smooth, I forgot to do mine and it took it upon itself to install and reboot. Uh
  • RE: Microsoft issues emergency patch for IE

    Oh Yea! It crashed my computer part way through the installation and crippled my IE7 (took out the inetcpl.cpl file).
  • RE: Microsoft issues emergency patch for IE

    It wouldn't be a problem installing the patch except my computer has already crashed and wont come back on. Already looking to buy another laptop. I know nothing about how to fix these problems and I am already frustrated.
  • RE: Microsoft issues emergency patch for IE

    IS this why a newly installed IE8 on Vista is bombing about as fast as I open it with DEP errors??? SHeesh!!! Fix faults and cause your program to cease functioning... Since it's IE, that may not be a bad thing.

    Maybe I should just go back to IE7... better yet.... just move what I was actually using IE over Firefox, Opera, or Safari.

    Their fix has broken their product again.
  • 10yrs ago Active X was Declared a Disaster! lol

    The U.S. Government declared Active X a hazard 10yrs ago.
    What ever happened? Nothing.... not a darn thing was done
    to make it more secure back then or now. It shouldn't
    even be used. Except it the only way M$ and keep a handle
    on us! ..that is if you use it. If you're really really
    smart, you use Linux or Firefox w/o any of that crap!
    • And yet Redmond fanboys here will tell you...

      ...HacktiveX is the best thing going since sliced bread.

      I even had one guy try to tell me how HacktiveX "saves lives".

      Wintel BSOD
      • Nope, but I figure they'll tell you

        Vista+IE8= unaffected by any problem activeX has.
        Michael Alan Goff
  • M$hit is the plague of 21th century

    aha ahah

    still dealing with plague in 21th century?

    easy as simple, use firefox or

    - it's your time and money dude !! -

    switch to linux !
    • Microsoft is the plague...

      Really? Microsoft, to me, is the company that brings computing to the average user. When people say that it is insecure, or that it has a bad feature, you all have to realize one thing. This is made to be compatible with everything, made to work for anyone.

      Windows does with one program, one line of programs, what linux does with its hundreds of distros. It gives people what they need.
      Michael Alan Goff
  • RE: Microsoft issues emergency patch for IE

    These recent MS patches to IE have wiped out my WiFi connectivity. I have spent hours trying to regain access to my wireless LAN and to my wireless HP All-in-One printer. This is a mess for me.