The Microsoft Active Template Libraries (ATL) issue described in MS09-035 has revealed that a great many Component Object Model (COM) programs may be vulnerable to exploitation in a way the developers of those programs may not have realized. Internet Explorer is not the only program that hosts COM programs, but it is the most likely primary attack vector for criminals to exploit vulnerable programs via ActiveX controls as is the case with the current criminal activity using the Microsoft Video Control that was the subject of MS09-032 recently.

MS09-034 includes two significant new features, both intended to provide security enhancement to IE to allow it to protect users from exploitation of vulnerable controls.

(more…)

Executive Summary

Security-related issues exist in some of the programs written using the Microsoft Active Template Library (ATL) that could allow code execution by browsing to a web site under criminal control. If a programmer created a code object using the ATL, the final product could potentially have an exploitable vulnerability. We say “Potentially” has a vulnerability because, at this time, no systematic attack is known to exist. However, many popular programs used in conjunction with Internet Explorer (IE) are vulnerable. At this time at least three discrete ActiveX controls are being exploited and used to compromise systems. Enterprises should assess the mission impact of preventing vulnerable controls from running. This is best achieved by using Group Policy Object (GPO) to allow only Administrator-approved ActiveX controls to run and by supplying a white list of known good, or patched, controls.

Update 2009-07-29:  The reader’s attention is invited to additional information immediately above the tags in the full article.

(more…)