by Peter Tippett and David Kennedy

The acetaminophen and antacid consumption in enterprise IT staffs is likely on the increase due to the recent release of two Security Bulletins by Microsoft, one for Internet Explorer and one for Visual Studio. This security problem has the potential to be both far-reaching and subtle in nature.  We would like to offer a dose of reason in hopes that your stress-induced ailments will at least be caused by wrestling with the real problem. The biggest risk is not from attacks; lost productivity dealing with the scope and confusion around the ATL issue is the greatest risk from these announcements.

To be clear, we do expect attacks but do not believe they will be novel or pervasive. We have seen hundreds of browser vulnerabilities over the years and the pattern of successful exploits is well understood:  such attacks mainly result in home-user machines being absorbed into large-scale botnets.  Our series of Data Breach Investigations Reports, covering nearly 600 breaches studied over five years, consistently finds that browser vulnerabilities rarely contribute (even incidentally) to significant enterprise data breaches.

(more…)

The Microsoft Active Template Libraries (ATL) issue described in MS09-035 has revealed that a great many Component Object Model (COM) programs may be vulnerable to exploitation in a way the developers of those programs may not have realized. Internet Explorer is not the only program that hosts COM programs, but it is the most likely primary attack vector for criminals to exploit vulnerable programs via ActiveX controls as is the case with the current criminal activity using the Microsoft Video Control that was the subject of MS09-032 recently.

MS09-034 includes two significant new features, both intended to provide security enhancement to IE to allow it to protect users from exploitation of vulnerable controls.

(more…)

Executive Summary

Security-related issues exist in some of the programs written using the Microsoft Active Template Library (ATL) that could allow code execution by browsing to a web site under criminal control. If a programmer created a code object using the ATL, the final product could potentially have an exploitable vulnerability. We say “Potentially” has a vulnerability because, at this time, no systematic attack is known to exist. However, many popular programs used in conjunction with Internet Explorer (IE) are vulnerable. At this time at least three discrete ActiveX controls are being exploited and used to compromise systems. Enterprises should assess the mission impact of preventing vulnerable controls from running. This is best achieved by using Group Policy Object (GPO) to allow only Administrator-approved ActiveX controls to run and by supplying a white list of known good, or patched, controls.

Update 2009-07-29:  The reader’s attention is invited to additional information immediately above the tags in the full article.

(more…)