Microsoft Details Out-of-Band July Update
The out-of-band update scheduled for the 28th of July, the update that was meant to address a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studios, has been rolled out to Microsoft customers. At the time, the Redmond-based company could not go into specifics, but now that the update has been released, it can provide a more in-depth details about the out-of-band update. Here’s a little hint: it’s Active Template Library (ATL).
Here is precisely what Microsoft released the other day:
Security Advisory 973882, which provides info on Microsoft’s “ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL).”
Microsoft Security Bulletin MS09-034, which details a mitigation for Internet Explorer that will foil an attacker’s attempt to exploit components and controls built using Active Template Library. Multiple other unrelated IE vulnerabilities are addressed in the bulletin as well. MS09-034 applies to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8
Microsoft Security Bulletin MS09-035, which details a moderate vulnerability in Visual Studio Active Template Library that if exploited by a person with malicious intent could allow the attacker to perform remote code execution. MS09-035 applies to Windows 2000 Service Pack 4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. If you have applied MSO9-32, then you should be okay, explained Microsoft, adding that no active exploits taking advantage of the vulnerabilities presented in MS09-035 have been detected in the wild
So why did Microsoft push this out-of-band update? Jonathan Ness, Microsoft Security Research and Defense Engineering, provides an explanation.
“While the vulnerability has been known to Microsoft for some time, additional information regarding these vulnerabilities has been growing over the past few weeks. And with the Black Hat and Def Con security conference getting people together around the same watering hole, natural curiosity means that risk to customers could increase as more information is disclosed. We’ve seen one active attack on an ATL vulnerability targeting the msvidctl.dll control. We decided to proactively release these security updates to help protect customers and mitigate the risk in a more controlled manner. We believe the right thing to do is to help protect customers with out-of-band security updates in this unique situation where we anticipate the risk will increase before our next scheduled security update opportunity,” said Ness.
Here is precisely what Microsoft released the other day:
Security Advisory 973882, which provides info on Microsoft’s “ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL).”
Microsoft Security Bulletin MS09-034, which details a mitigation for Internet Explorer that will foil an attacker’s attempt to exploit components and controls built using Active Template Library. Multiple other unrelated IE vulnerabilities are addressed in the bulletin as well. MS09-034 applies to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8
Microsoft Security Bulletin MS09-035, which details a moderate vulnerability in Visual Studio Active Template Library that if exploited by a person with malicious intent could allow the attacker to perform remote code execution. MS09-035 applies to Windows 2000 Service Pack 4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. If you have applied MSO9-32, then you should be okay, explained Microsoft, adding that no active exploits taking advantage of the vulnerabilities presented in MS09-035 have been detected in the wild
So why did Microsoft push this out-of-band update? Jonathan Ness, Microsoft Security Research and Defense Engineering, provides an explanation.
“While the vulnerability has been known to Microsoft for some time, additional information regarding these vulnerabilities has been growing over the past few weeks. And with the Black Hat and Def Con security conference getting people together around the same watering hole, natural curiosity means that risk to customers could increase as more information is disclosed. We’ve seen one active attack on an ATL vulnerability targeting the msvidctl.dll control. We decided to proactively release these security updates to help protect customers and mitigate the risk in a more controlled manner. We believe the right thing to do is to help protect customers with out-of-band security updates in this unique situation where we anticipate the risk will increase before our next scheduled security update opportunity,” said Ness.
