Setting killbit as patch won't do anymore... ActiveX patch circumvented!

Hi malware fighters,

MS has to come up with an out of band patch, because setting a killbit for an insecure ActiveX control is not enough and can now be circumvented by hackers: http://blogs.iss.net/archive/Blackhat09.html
This hole really created some panic at Microsoft, because this means a gigantic problem:
http://www.pcworld.com/businesscenter/article/169122/microsoft_rushes_to_fix_ie_killbit_bypass_attack.html
By just visiting a maicious website hackers can do whatever they please even if a patch is being installed.
Why go on with a concept that was a big mistake from day 1 - ActiveX is an insecure concept period…
Here a glimpse of the presentation of this 0-day: http://www.hustlelabs.com/bh2009preview/

The underlying Library issues and the OS dll’s that could be involved deeper down are discussed here:
http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html

polonus

Thanks for the information polonus

Found it worrisome to say the least.

pete

Wonder what will happen to Javacool’s Spyware Blaster, whose primary protection is setting registry killbits?

Bet Larry Seltzer feels like a knob every time he’s reminded of this:

http://www.eweek.com/c/a/Security/The-Lame-Blame-of-ActiveX/

@ FreewheelinFrank

Pundits of Microsoft are many and many are armchair critics.

Looks like the critics were right.

Hi FwF,

Maybe MS has done some immediate damage containment through the special out of band ServicePack with defense in depth measurements ( http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx ), but there are many third party software developers that also joined the ActiveX bandwaggon, they can test their controls here: http://codetest2.verizonbusiness.com/termsOfUse.aspx against ATL (Active Template Library) vulnerabilities, which started this deep hole in the first place.

More than likely than not Internet Explorer has been compiled using the vulnerable ATL. That is why that yesterdays two updates cannot be seen separately. It seems unrealistic that all software that has been developed using the vulnerable ATL now has been steemed out,

polonus

Hi malware fighters,

And what was the first third party software that had MS ATL vulnerabilities? Well one could guess…Adobe, yes this was established to be: http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html

Yes the software is on 450 million desktops. Of course you updated to the latest version: http://www.adobe.com/support/security/bulletins/apsb09-11.html where an 8 month old hole was patched, and now it seems again broken because of the recently found ATL issue,

polonus