MSVIDCTL (MS09-032) and the ATL vulnerability

Today we have released Security Advisory 973882 that describes vulnerabilities in the Microsoft Active Template Library (ATL), as well as security updates for Internet Explorer (MS09-034) and Visual Studio (MS09-035). The Visual Studio update addresses several vulnerabilities in the public versions of the ATL headers and libraries. The IE update contains two defense in depth mitigations to help prevent exploitation of the ATL vulnerabilities described in Security Advisory 973882 and MS09-035 (the IE updates contains additional security fixes that are not related to the ATL issue).

Was the msvidctl vulnerability (MS09-032) related to this ATL update?

First of all, the kill bits issued by the July release for msvidctl (MS09-032) will block the public exploits of msvidctl as stated here.

This public exploit took advantage of the fact that msvidctl uses a modified version of vulnerable ATL headers which is not in the public version. The vulnerabilities exploited in this attack are found in the private versions of ATL, as described in Security Advisory 973882. In this specific instance, the vulnerability allows an attacker to corrupt memory which may lead to a remote code execution. For more information on this specific issue see Michael Howard’s “Bug 1” in his SDL Blog Post.

Will the IE update that helps protect against the ATL issues also protect against msvidctl attacks?

Even without the kill-bits from MS09-032, the IE mitigations in MS09-034 will help protect against the exploitation of all the ATL vulnerabilities that are described and fixed in the Visual Studio bulletin. That said, we highly encourage you to not remove MS09-032 and keep your machine fully updated.

– Fermin J. Serna, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*