The emergency patches Microsoft plans to rush out this week will fix a flaw that runs through several critical components of Windows and an unknown number of third-party applications, according to a pair of security researchers.
On Tuesday, Microsoft will slap a permanent patch on a video streaming ActiveX control used by Internet Explorer (IE), addressing a vulnerability that it has known about, but not fixed, for more than a year. Two weeks ago, Microsoft issued a “kill bit” update that, rather than address the underlying problem, disabled the ActiveX control to stymie attacks that were already in progress. It’s also slated a fix for Visual Studio, Microsoft’s popular development platform.
Although Microsoft has not spelled out exactly what it will patch with the two “out-of-band” updates — the term for security updates released outside the company’s once-a-month schedule — earlier this month researchers pointed fingers at the Active Template Library (ATL), a code “library” used not only by Microsoft’s own developers, but also by third-party software programmers to access some features within Windows.
Two German researchers — Thomas Dullien, the CEO and head of research at Zynamics GmbH, and Dennis Elser — dug into the bug within the ActiveX control, the “msvidctl.dll” file, that streams video content. They found that it stemmed from a simple programming mistake in a function called “ATL::CComVariant::ReadFromStream.”
“Instead of passing a pointer to a data buffer to IStream::Read, it took the address of a (small) local variable, and passes this address as output buffer to IStream::Read, along with a length read from the stream previously,” said Dullien, who goes by the moniker “Halvar Flake” when writing about security vulnerabilities. “Somebody clearly got confused,” he added in a blog entry posted July 9.
The result? Although Microsoft shut off current attacks against the ActiveX control, the programming mistake is present in several other Windows files — at least five in XP, at least 13 in Vista — including ones crucial to IE, Windows Media Player and Terminal Services.
“The bug is actually much ‘deeper’ than most people realize,” said Dullien, “[and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue.”
Additionally, said Dullien and Elser, third-party developers may have used the same flawed library to create their own applications.
“The bug might have weaseled its way into third-party components, if anyone outside of Microsoft had access to the broken ATL versions,” said Dullien. “If this has happened, Microsoft might have accidentally introduced security vulnerabilities into third-party products.” Dullien claimed that older versions of Adobe’s Flash contained the vulnerability.
In a follow-up blog entry on Friday, Dullien speculated that Tuesday’s fixes will “patch a bunch of libraries (the ATL ?) in Visual Studio” as well as the ActiveX “msvidctl.dll” file used by IE.
To add fuel to that speculation, Brian Krebs of the Washington Post quoted Dullien last week as saying Microsoft had called and asked him not to comment further on the vulnerability.
Neither Dullien or Elser responded to requests for comment on Sunday.
Other security researchers either declined to comment or assumed Dullien is on the right track.
“I don’t think I can comment specifically, but I am prepared to say that whenever Microsoft goes to the trouble of doing an out-of-band [update], people should probably pay attention, and patch as soon as they can,” said Roger Thompson, chief research officer at security software vendor AVG Technologies, via instant messaging on Saturday.
Two weeks ago, Thompson warned that the ActiveX vulnerability was a prime candidate for another Conficker-scale attack.
“If what [Dullien] said on his blog is even remotely correct, and if his call from Microsoft is credible, then consumers and Microsoft partners have got some serious work ahead,” warned Andrew Storms, director of security operations at nCircle Network Security, in an e-mail Sunday.
Calling the out-of-band updates a “stand-up-and-pay-attention moment,” Storms also recommended that businesses test the patches thoroughly before they’re deployed. “Enterprises may want to wait a few days and see if their other software vendors have to say,” he urged. “Reason for the extra caution? It appears that some companies may be using the ill-fated Microsoft function and when patched, [that] may cause some unexpected consequences.”
Storms offered up another reason for Microsoft’s Tuesday patching. “Many of the same security professionals will be in Vegas for Black Hat, which in itself may have jump-started Microsoft’s emergency patch release,” he said. Black Hat, which kicked off Saturday, runs through Thursday. Dullien, as Halvar Flake, was slated to conduct a training session at Black Hat, according to the conference’s schedule.
Thompson seconded Storms. “I think the next big thing to watch for is to see what comes out at Black Hat,” he said. “I truly don’t know of anything, but I’m fairly sure that hackers are hacking.”
“More to come on Tuesday when we get the patches, obviously,” concluded Storms.
Microsoft will issue the out-of-band updates Tuesday, July 28, via its usual Windows Update and Windows Server Update Services (WSUS) mechanisms. If it releases them on the same timetable as its monthly update, they should be available around 1 p.m. ET.
Later in the day — at both 4 p.m. and 7 p.m. ET — Microsoft will host a webcast to take customer questions. Typically, Microsoft hosts such webcasts the day after it delivers patches.