Microsoft pushes out ATL, ActiveX fixes

By on
Microsoft pushes out ATL, ActiveX fixes

The software giant has cleaned up its flawed Active Template Library, in addition to issuing a host of other patches.

Microsoft has distributed nine patches, six rated "critical," including one that complemented an out-of-band fix issued late last month.

MS09-037 addresses five vulnerabilities in the Active Template Library (ATL), which, if exploited, could enable execution of remote code if a specially crafted ActiveX control is hosted on a malicious website.

"Microsoft evaluated all of their ActiveX controls that ship in the box and they found five of them that were built on the insecure template library," Eric Schultze, CTO of Shavlik Technologies, provider of patch management solutions, told

The patch was related to an out-of-cycle fix on July 28 that corrected issues in developer tools suite Visual Studio, which leverages the ATL to build ActiveX controls, as well as Internet Explorer.

Tuesday's update also includes a patch for an ActiveX vulnerability -- unrelated to the ATL bulletin -- that is being exploited in the wild. MS09-043 corrects a buggy Spreadsheet ActiveX control in Office Web Components, in addition to three other holes. The issue affects a number of software versions, including Office XP and 2003 Service Pack 3 (SP3) and Internet Security and Acceleration Server 2004 SP3 and 2006.

"We strongly encourage customers to review and deploy this bulletin, if applicable, given that we have seen exploitation in the wild," said Jerry Bryant, a Microsoft security program manager, on the company's Security Response Center Blog.

Other fixes included MS09-038, which took care of two flaws in the way Windows Media files are processed. Attackers can infect users by tricking them into opening a malicious AVI file.

Also, the update repaired two vulnerabilities in the WINS (Windows Internet Name Service) server on Windows 2000 or Server 2003. The flaws could be taken advantage of to launch an "unauthenticated, self-replicating attack across the network," Bryant said.

Jonathan Bitle, technical director at vulnerability management provider Qualys, said the patches should remind administrators to instruct end-users to practise safe computing and not click on untrusted links or files.

"Obviously, education is a key component of all of these [patches]," he told

The update also included a non-security advisory, which announced a new feature called Extended Protection for Authentication, designed to bolster the vetting of network connections to Windows.

See original article on

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?