EmailSafety.net - Microsoft rushes patches to fix'big deal'programming flaw

Microsoft rushes patches to fix'big deal'programming flaw

Anti-Spam Software

What is Spam?

Spam Laws

Spam Facts

User Tips

Common Email Scams

What Are Visuses?

Virus Prevention Tips

Anti-Virus Software

Basic Tips

Recent News

As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.

Microsoft has been working on the Visual Studio bugs, and coordinating with third-party developers who may have crafted vulnerable software using Visual Studio, since early 2008.

As some had speculated, Microsoft rushed the patches to users this week to preempt a presentation slated for tomorrow at Black Hat by several security researchers. They plan to demonstrate a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure.

"We put this out-of-cycle because we have seen at least one attack using an ATL vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said in an interview today. "And there was more speculation and more details being released before Black Hat. We had the patches ready for broad release, so we decided to release them today."

Related Content

Without the pressure from Black Hat, Microsoft would have waited until Aug. 11, when the company will release its next regularly-scheduled security update.

The two emergency updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE, added new defensive technology to the browser and patched three "moderate" bugs in Visual Studio.

But in an unusual reversal, Microsoft hinted -- and some researchers agreed -- that the moderate bugs may actually pose the more serious long-term threat. That's because the Visual Studio vulnerabilities are in a code "library," dubbed Active Template Library (ATL), that Microsoft and an unknown number of third-party developers used to create their own ActiveX controls and application components.

"ATL is a C++ library, and one that's pretty commonly used by developers," said Amol Sarwate, the manager of Qualys' vulnerability research lab.

"This will be one of those where users are vulnerable from hackers much longer than the usual," added John Pescatore, an analyst with Gartner. "This is a big deal. Microsoft may be fixing the underlying problem in ATL, and pushing out this shielding thing that will protect users of IE, but there's no way of knowing how many applications or controls have this flaw baked into them."

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Recent News:

· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High

Site Map | Recent News | Related Sites