Thursday, July 30, 2009

Gentlemen, start your engines patches

Ladies too:
Microsoft issued two emergency updates on Tuesday to fix critical security bugs that leave users of Internet Explorer and an untold number of third-party applications vulnerable to remote attacks that completely commandeer their computers.
Windows Update is your friend, if you're of the Windows persuasion (Mac and Linux users are obviously not effected). So go ahead and click the link - you'll be glad that you did.

This is an interesting update for three reasons. First, it's an out-of-cycle update. Microsoft tries to hold all the updates and release them on "Patch Tuesday", the first Tuesday of each month. This makes it much, much easier for Microsoft customers to manage updates. The fact that this is released on a day that's not Patch Tuesday says that this is important stuff.

Second, one of the updates is for one of their development tools, Visual Studio. Gobs of software developers use this to create their own applications, and those applications may also be vulnerable.

Third, ActiveX is front and center. Both my regular readers are steeling themselves for another rant about how ActiveX is an Abomination unto the Lord. Well, it is:
As previously reported, one of the ATL bugs being squashed allowed attackers to bypass so-called kill-bit protections, which are used to seal off ActiveX controls that are later determined to be insecure or otherwise unreliable. The bug is significant because it has the effect of resurrecting vulnerabilities that were patched long ago.
So if you'd had a problem before, and patched it then, it may have come back again. No extra charge ...

So what's up with all this? Well the World's security community is gathering for the annual Black Hat Briefings, and all the Cool Kids are strutting their security stuff, showing off all the vulnerabilities they know:

This is only the ninth time Microsoft has issued security updates outside of its normal schedule. It comes as thousands of hackers and security professionals convene in Las Vegas for the Black Hat and Defcon conferences.

Already, Adobe has chimed in to say that its both its Flash and Shockwave media player applications use vulnerable versions of the ATL, but only versions of those programs that use IE are affected. The company plans to issue fixes. In the interim, users should be protected by installing the patch for MS09-034.


Smith and fellow researchers Mark Dowd and David Dewey plan to discuss one of the issue during this talk at Black Hat.
It'll be an interesting week. I'll keep you posted - Adobe is said to be preparing a set of fixes, too.

1 comment:

NotClauswitz said...

I downloaded that even though I never use IE-7, but XP defaults to using it when I click on the Windows Update site from Control Panel even though my computer is told to use ~Furyfox~ as a default. ;-)
There was also a patch for some Visuall C++ 2005 (!?!) Service Pack 1 stuff.

wordvf: bostides - bastages from boston?