Executive Summary

Security-related issues exist in some of the programs written using the Microsoft Active Template Library (ATL) that could allow code execution by browsing to a web site under criminal control. If a programmer created a code object using the ATL, the final product could potentially have an exploitable vulnerability. We say “Potentially” has a vulnerability because, at this time, no systematic attack is known to exist. However, many popular programs used in conjunction with Internet Explorer (IE) are vulnerable. At this time at least three discrete ActiveX controls are being exploited and used to compromise systems. Enterprises should assess the mission impact of preventing vulnerable controls from running. This is best achieved by using Group Policy Object (GPO) to allow only Administrator-approved ActiveX controls to run and by supplying a white list of known good, or patched, controls.

Update 2009-07-29:  The reader’s attention is invited to additional information immediately above the tags in the full article.

Active Template Library

Technical Summary

Risk Assessment

Code Testing Service

Recommendations for Verizon Business Customers

Enumeration of Mitigation Strategies

Recommendations for Software Developers

Recommendations for Home Users

Active Template Library

The Active Template Library (ATL) is a set of code classes that simplify coding Component Object Model (COM) objects including ActiveX controls. Microsoft recommends using ATL for the creation of ActiveX controls. The Microsoft Developers Network (MSDN) library has an Introduction to COM and ATL.

Technical Summary

Security issues may exist in programs written using ATL that could allow criminally supplied code to execute on a system that allows vulnerable ActiveX controls to run. Secure programming practices should have ensured that their code does not facilitate exploitation, but given the fact that the issue involves the use of Microsoft supplied macros, some programmers may not have realized their code was unsafe. In order to fix any vulnerable code the developer must have their code manually reviewed. Microsoft has issued an update to ATL (via MS09-035) which provides the developers with new macros. The new macros make strict object typing easier for the programmer.

It is important to realize that fixing vulnerable code is not simply a matter of applying a patch. Many different vendors’ code is likely to be found vulnerable, and each will have to release a non-exploitable version if theirs is vulnerable due to this issue. To do this, they will have to review their code, replace deprecated macros with the newly released versions, and then make hard decisions about what they expect their program to handle. In most cases the fix should be straightforward. In some cases, however, it may break functionality.

ATL has been used in the creation of an unknown (but very large) number of applications, application extensions and ActiveX controls. There is no simple way for an enterprise or an individual user to determine what potentially vulnerable applications are on a system. There are a number of aspects of a control that must all be true for a control to be exploited. Our focus initially, however, is on code which could be exploited via IE, and so we take a look at ActiveX controls. One pre-requisite to a vulnerable control is that it must be declared Safe for Initializing. This designation is on ActiveX controls, but may also be on other COM objects not typically associated with IE (like the msvidctl.dll discussed below.) An attacker could call for a control to be initialized in a web page (via the OBJECT tag) in a way that could execute their code.

Risk Assessment

The greatest risk in the very near term is a denial of service due to lost productivity. As IT staffs around the world gain an understanding of this issue and likely dedicate an inordinate amount of time in an attempt to learn the scope of its affect on their business units. The criminal threat does not demand a full scope assessment, and in the coming days the collective talent of the security community will almost certainly make a full scope assessment easier and more accurate.

By the time you read this, we believe it is almost certain the technical and mass media will be carrying predictions of an “extinction level event” due to this problem. The facts are that only targeted and relatively rare attacks on a few controls exist today. We assess it is very unlikely (<1 in 10 probability) that a mass attack simultaneously exploiting 10 or more controls is possible. A more likely possibility is an attack on a control deployed on all, or almost all Windows computers, but we already see these. We believe that far fewer controls will prove to be exploitable than initial estimates will suggest.

In the short term, only vulnerable controls under attack by criminals represent a known risk to Windows systems. The Windows video control, msvidctl.dll, and Office Web Components controls, OWC10.DLL and OWC11.dll, are being exploited by criminals to compromise systems. MS09-032 set the kill-bit for the msvidctl.dll control, effectively preventing it from being used in criminal attacks.

The Office Web Components (OWC) control may be used in some customer companies and each of these companies must assess the mission impact of disabling the control.

An attacker who successfully exploited this vulnerability could execute code with the privileges of the control, typically the victim user’s privileges, on an affected system.

The only known “patch” is for vulnerable code to be reviewed, and ,in many cases, be modified and re-compiled with the new ATL library released on July 28, 2009.

Code Testing Service

Verizon Cybertrust Security is providing a service to COM object developers to test their signed code objects in order to determine the relative risk each object represents. The purpose of this test is to support triage of the innumerable objects so those representing the greatest vulnerability can receive priority for replacement or other defensive measures.

Application developers can create objects by both static and dynamic calls to the ATL functions. The presence of ATL.DLL is an indication of the presence of a dynamically-linked control. This file is not present on a default Windows system. Replacing the ATL.DLL will not eliminate vulnerabilities.

Recommendations for Verizon Business Customers

We know of no mission impact for disabling the Windows video control, and we recommend customers apply MS09-032, which sets the kill-bit for that control, or follow the instructions in the Microsoft article: How to stop an ActiveX control from running in Internet Explorer and disable this object.

If you are not using OWC internally, set the kill-bit regardless whether OWC is installed or not. Doing so will ensure that should your users visit a criminally controlled site that attempts to exploit this vulnerability they will not be allowed to install the control. If you do use OWC within your organization, then you will have to rely on content filtering (looking for attempts to instantiate OWC’s CLSIDs) to prevent exploitation from an outside site, and wait for Microsoft to release a patch.

Verizon Business will continue to advise our customers as attacks on popular controls emerge.

Enumeration of Mitigation Strategies

Potential strategies for mitigating are (may be used in combinations):

1. Employ the mitigation offered by MS09-034, an update to IE that was also released on July 28, 2009. This update may dramatically reduce the potential for criminals to exploit vulnerable controls, but it may also affect mission-driven use of IE. Review the information supplied within that bulletin to assess your impact.
2. Address each vulnerable control as “in the wild” attacks are discovered. Assess the mission-driven need for each control and use GPO to set the kill-bit for those controls.
3. Microsoft has provided tools to help administrators define which ActiveX controls may run, and who can make decisions whether or not a given control can run.
   1. Use GPO to adjust Internet Explorer security settings in the Internet Zone to allow only ActiveX controls approved by the Administrator to run.
   2. Using Software Restriction Policies to Protect Against Unauthorized Software details how rules can discriminate controls by hash, signing certificate, path and Internet zone. Also, rules can be set to give different permissions to users, local system administrators and enterprise administrators.
   3. The Internet Explorer Administration Kit (IEAK) helps administrators Manage ActiveX Controls. IEAK includes a list of common ActiveX controls in a file: Axaa.adm. Enterprises should use caution employing this list as it will pre-date this issue until Microsoft publishes an update.
   4. Another resource is Internet Explorer security zones registry entries for advanced users.
   5. This blog entry from Security Research and Defense explains how IE checks a control to verify it is safe for initialization and scripting. To be effective each enterprise will need to discriminate which controls have a business-driven mission and develop a “white list.”
4. IE 8 offers several security enhancements. For enterprises, Per-Site ActiveX Controls are possible so an enterprise can define which controls can run. See the MSDN section on Per-Site ActiveX Controls.
5. Use GPO to adjust IE security settings in the Internet Zone to force users to acknowledge a prompt when an ActiveX Control is called. This may have a significant impact on the user experience and may have a mission impact.
6. Use GPO to adjust IE security settings in the Internet Zone to restrict Active Scripting. This will have a significant impact on the user experience and is most likely going to have a mission impact.
7. Use security products for defense. Undoubtedly, IDS, IPS, content managers, firewalls, anti-spyware and anti-virus products will react to this issue. Because every control has a unique CLSID, content managers can permit a white list, restrict a blacklist or enforce another local policy. Each enterprise must assess the efficacy of their total defensive posture versus the threat of attack via this vulnerability and accept the residual risk for this strategy.
8. Switch internet browsers with all of the deployment, training, support and security problems associated with the new browser. No internet browser is without security vulnerabilities.

Recommendations for Software Developers

If you have used ATL, you should review the guidance for developers from Microsoft beginning with MS09-035. If necessary, modify and recompile your object with the updated ATL. Prioritize your efforts based on results from testing your application at Verizon Business Code Testing. First priority should be given to applications that are declared as Safe for Initialization, which also define vulnerable properties. Simply recompiling may not be sufficient to eliminate the vulnerability, review Microsoft’s documentation on the issue.

Not all ATL-linked controls are vulnerable. To be vulnerable, your control must:

• Use CComVariant: ReadFromStream(pStrem) where the pStream could contain untrusted data

Or

• Is a COM object
• Is declared as Safe for Initializing
• Inherits IPersistStreamInitImpl or calls AtlIPersistStreamInit Load
• Uses the macros PROP_ENTRY or PROP_ENTRY_EX

Or

• Is a COM object
• Is declared as Safe for Initializing
• Inherits IPersistStreamInitImpl or calls AtlIPersistStreamInit_Load
• Uses the macros PROP_ENTRY_TYPE or PROP_ENTRY_TYPE_EX
• Declares properties as VT_DISPATH, or VT_UNKNOWN

Reading from an untrusted data source is never a good idea. Such practices should always be avoided when possible. Doing this requires no update from Microsoft.

The use of PROP_ENTRY or PROP_ENTRY_EX was already deprecated as these do not let the programmer specify the type of object they expect to be returned. As such, unexpected results could occur. Good programming practice should have ensured that the returned object be checked to ensure it was what was expected. Doing this requires no update from Microsoft, but the update does make it easier.

The use of VT_DISPATH, or VT_UNKNOWN with PROP_ENTRY_TYPE or PROP_ENTRY_TYPE_EX essentially reverts back to the issues with PROP_ENTRY or PROP_ENTRY_EX. Since the property is not being strictly specified, anything could be returned. Again, this issue requires no update from Microsoft.

Microsoft has included, in MS09-035, four new macros. PROP_ENTRY_INTERFACE, PROP_ ENTRY_INTERFACE_EX, PROP_ENTRY_INTERFACE_CALLBACK, and PROP_ENTRY_INTERFACE_CALLBACK_EX all provide programmers the ability to specify a qualified list of CLSIDs they expect to be returned. In this way, they can block unwanted abuse. The update is not required in order to do this form of filtering, but, again, it is made easier by the update.

Recommendations for Home Users

Home users should consider using another browser like Google Chrome or Firefox.

Do not uninstall IE; it is necessary for Microsoft Update. It is OK to delete the IE icon from your desktop and/or toolbar. Microsoft Update should be set to automatically install updates (Start ­Settings – Control Panel ­ Automatic Updates ­ Automatic (recommended) ­ OK)

“Power users” may take other steps to either secure IE or use another browser. The above recommendation is the simplest course of action for a non-technical home user to protect their Windows systems.

Update 2009-07-29:

A version control error resulted in the absence of the following as the second paragraph in the last section above:

“Microsoft Security Bulletin MS09-034 provides significant security improvements for IE that will help IE resist attacks related to this problem.  Users who choose to continue to use IE should ensure this bulletin is applied.”

I invite the reader’s attention to the next blog entry by Russ Cooper (it should go live in a few minutes): Just do it – MS09-034: Elegant Security Buttress for Internet Explorer

Tags: Active Template Library, ActiveX, ActiveX Control, ATL, Microsoft, software development, Vulnerability

This entry was posted on Tuesday, July 28th, 2009 at 5:55 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.