August 2009 Security Bulletin Webcast Video and Customer Q and A

As we do every month on the Wednesday following our standard second Tuesday security bulletin release, we conducted a live webcast where Adrian Stone and myself went through the bulletins in detail and then answered customer questions with the help of several subject matter experts (SMEs).

It is apparent that there is still a bit of confusion around the Active Template Library (ATL) issue and how current updates relate to work we have already done to provide mitigations, protections and guidance to customers. To try and provide some clarity:

  • Security Advisory 972890: This advisory was released in response to active attacks against the Microsoft Video ActiveX Control in order to provide guidance and mitigations (including a Microsoft Fix it solution) to customers while we worked towards an update for the underlying issue.
  • MS09-032 – Cumulative Update of ActiveX Kill Bits (973346): This bulletin provided an official kill bit update to replace the Microsoft Fix it solution provided by Security Advisory 972890. The update addresses additional kill bits and is also available through Microsoft update technologies such as Windows Update, Microsoft Update, and Windows Software Update Services (WSUS). This kill bit blocked the ability to instantiate the Microsoft Video ActiveX Control in Internet Explorer to mitigate against known attacks.
  • MS09-034 – Cumulative Security Update for Internet Explorer (972260): This bulletin provided a defense-in-depth update that helps mitigate known attack vectors within Internet Explorer. To be clear, Internet Explorer is not vulnerable to these attacks but the vulnerable components can be reached through Internet Explorer. Installing this update mitigates that threat.
  • MS09-035 – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706): This update is specifically geared towards developers of components and controls who use ATL. The update addresses the underlying issue in our Visual Studio development tools. Developers who use ATL should install this update and recompile their components and controls following the guidance in this MSDN article.
  • MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908): This bulletin provides updates for vulnerable components and controls that shipped with Windows products. These are Microsoft components and controls were built using ATL. Among the updates in this bulletin is a binary level update that addresses the vulnerability in the Microsoft Video ActiveX Control that has seen some active attacks. So we previously released a kill bit update to provide immediate protection for customers and are addressing the underlying vulnerability with this update.
  • Security Advisory 973882: This advisory provides information on our ongoing investigation in to the ATL issue and serves as a single source for all related information.

To be even clearer, not every ActiveX control is vulnerable and we have an ongoing investigation into this issue. We will continue to provide updates via Security Advisory 973882 and Security Bulletins as necessary.

Of course this is not the only issue we addressed this month and customers had quite a few questions during the webcast that we provided answers and guidance for. Please review the text version of the Q&A here>>.

Here is the video of the webcast that includes the bulletin by bulletin presentation and the complete Q&A session:

Get Microsoft Silverlight More viewing and listening options:

Please plan to join us for the next regularly scheduled webcast on September 9, 2009 at 11:00 a.m. (UTC-7) where we will again cover any new bulletins and address your questions in real time. Click here to register >>.

Finally, please visit our Security Research & Defense blog where you will find some great deep dive articles full of analysis and guidance on these and many other security issues. You may also find our new blog aggregator useful for getting a consolidated view of all of our Trustworthy Computing blogs.


Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*