Hi malware fighters,
MS has to come up with an out of band patch, because setting a killbit for an insecure ActiveX control is not enough and can now be circumvented by hackers: http://blogs.iss.net/archive/Blackhat09.html
This hole really created some panic at Microsoft, because this means a gigantic problem:
http://www.pcworld.com/businesscenter/article/169122/microsoft_rushes_to_fix_ie_killbit_bypass_attack.html
By just visiting a maicious website hackers can do whatever they please even if a patch is being installed.
Why go on with a concept that was a big mistake from day 1 - ActiveX is an insecure concept period…
Here a glimpse of the presentation of this 0-day: http://www.hustlelabs.com/bh2009preview/
The underlying Library issues and the OS dll’s that could be involved deeper down are discussed here:
http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html
polonus
system
July 28, 2009, 10:30am
2
Thanks for the information polonus
Found it worrisome to say the least.
pete
Wonder what will happen to Javacool’s Spyware Blaster, whose primary protection is setting registry killbits?
Bet Larry Seltzer feels like a knob every time he’s reminded of this:
http://www.eweek.com/c/a/Security/The-Lame-Blame-of-ActiveX/
system
July 28, 2009, 11:11pm
5
@ FreewheelinFrank
Pundits of Microsoft are many and many are armchair critics.
Looks like the critics were right.
Hi FwF,
Maybe MS has done some immediate damage containment through the special out of band ServicePack with defense in depth measurements ( http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx ), but there are many third party software developers that also joined the ActiveX bandwaggon, they can test their controls here: http://codetest2.verizonbusiness.com/termsOfUse.aspx against ATL (Active Template Library) vulnerabilities, which started this deep hole in the first place.
More than likely than not Internet Explorer has been compiled using the vulnerable ATL. That is why that yesterdays two updates cannot be seen separately. It seems unrealistic that all software that has been developed using the vulnerable ATL now has been steemed out,
polonus
Hi malware fighters,
And what was the first third party software that had MS ATL vulnerabilities? Well one could guess…Adobe, yes this was established to be: http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html
Yes the software is on 450 million desktops. Of course you updated to the latest version: http://www.adobe.com/support/security/bulletins/apsb09-11.html where an 8 month old hole was patched, and now it seems again broken because of the recently found ATL issue,
polonus