The Microsoft Active Template Libraries (ATL) issue described in MS09-035 has revealed that a great many Component Object Model (COM) programs may be vulnerable to exploitation in a way the developers of those programs may not have realized. Internet Explorer is not the only program that hosts COM programs, but it is the most likely primary attack vector for criminals to exploit vulnerable programs via ActiveX controls as is the case with the current criminal activity using the Microsoft Video Control that was the subject of MS09-032 recently.

MS09-034 includes two significant new features, both intended to provide security enhancement to IE to allow it to protect users from exploitation of vulnerable controls.

The first of these is the use of Microsoft Research Detours technology to monitor the behavior of a control and identify when that control is being manipulated by a criminally crafted web page. Detours allows IE to follow through a program’s logic and identify a pattern of behavior that can be identified as exploiting the ATL issues. This dramatically reduces the potential for criminals to exploit those ATL issues. Also, because Detours is able to monitor without impacting the program’s intended behavior, this new feature should have little to no impact on the legitimate use of ActiveX controls.

The second feature provides a much more forceful way of preventing exploitation of ActiveX controls that are vulnerable to the ATL issues. This feature simply stops controls from running if they are found to contain distinctive unsafe functions. It is one step shy of disabling ActiveX controls altogether in that it will likely prevent many controls from functioning legitimately. If you were considering disabling all ActiveX controls, we would suggest you consider this new option instead.

As far as the three specific memory issues addressed in the bulletin, few details have been provided.

Verizon Business recommends that you deploy MS09-034 within the next 7 days. First, this is because active exploitation of the issue has already occurred in the public in the form of attacks against, at least, the Microsoft Video Control (msvidctl.dll). Secondly, the update applies to all versions of IE back to v5.1, so it does not require that you move to a new version of IE. Finally, Verizon Business expects that reports about vulnerable controls are likely to proliferate exponentially within the next few weeks, likely causing some panic in the community. By having MS09-034 deployed you will be able to view these reports as they individually impact you, rather than as a growing problem for the use of IE and ActiveX controls in general.

Verizon Business also recommends that you use this opportunity to deploy an IE setting which permits only Administrator-approved ActiveX controls to run. The Microsoft Support document KB 883256 provides instructions on how to do this via Group Policy Object (GPO). To use this feature you will require a list of ActiveX controls you do want to approve. Given that it is unknown which currently used ActiveX controls are actually vulnerable, we recommend you start with the controls your users currently use. Yes, it is true that some may turn out to be vulnerable, however, by doing this you should have no negative business impact yet you will prevent the vast majority of controls that are vulnerable. Verizon Business is attempting to put together a “white list” of controls which have passed the test at Verizon Cybertrust Security ActiveX test and in some instances have been attested to by the author or publisher of the ActiveX control. Verizon Business will provide our customers with more information on this list as it evolves. Currently there are no controls known to have been patched for this issue with certainty, so no list exists.

We would also like to point out features that were added to IE 7 and IE 8, that can have a positive impact on the security of IE. IE 7 and IE 8 include the ActiveX opt-in feature, which disables ActiveX controls that have not previously been used, and prompts the user when new ones are asked for by a site. IE 8 includes a feature which allows you to specify which Zones a given ActiveX control can be called from. This would prevent, for example, abuse of the Office Web Component ActiveX controls from the Internet, even if they were required for Intranet use.

Tags: Active Template Library, ActiveX, ActiveX Control, ATL, Microsoft, software development, Vulnerability

This entry was posted on Wednesday, July 29th, 2009 at 6:11 pm and is filed under Analysis, Microsoft Patch Briefing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.