Microsoft patches last major ATL bugs

Latest fixes for code library typo close 'last big attack vector,' says researcher

Microsoft yesterday wrapped up a months-long job of patching a critical bug it accidently introduced in a crucial code "library," one of the researchers who uncovered the flaw said today.

"They finally released the last patch of Microsoft products yesterday, at least the last for the big attack vectors," said Ryan Smith, the principal research scientist for the Denver-based security consultant company Accuvant. "The patches for [Microsoft] Office closed the last big attack vector for the ATL flaw."

Smith and researchers Mark Dowd and David Dewey, who work for IBM Internet Security Systems' X-Force team, uncovered the bug and first publicly demonstrated how it could be used to attack PCs using Internet Explorer (IE) last July at the Black Hat security conference. Microsoft convinced the trio to stop publicly disclosing their findings until it was able to rush users a pair of emergency updates , which it delivered the day before the Smith-Dowd-Dewey Black Hat presentation.

The same day it delivered the out-of-band updates, Microsoft also acknowledged that an extraneous "&" character in its Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software, was the root of the bug Smith, Dowd and Dewey discovered.

To fix the flaw, Microsoft was forced to patch its popular Visual Studio development platform, then urged third-party software companies to recompile any applications or code created with the buggy ATL. Microsoft also rooted through its own software for ATL-related bugs, and patched five vulnerabilities in August. At the time, security experts called the ATL-bug update, MS09-037, "awful" and "a handful."

Yesterday, as part of a record-setting security update , Microsoft patched three ATL-related bugs in its Office suite. Smith was credited with reporting two of the three vulnerabilities, while Dewey was named for the third.

"I think this is the end of it for Microsoft," said Smith today, adding that the Office ATL flaws were the only remaining vulnerabilities that he, Dowd and Dewey had uncovered last summer.

All the same, Smith said he was shocked that attackers didn't take advantage of the ATL vulnerabilities before they were patched.

"The original proof of concept was probably the easiest way at the time to exploit a Web browser, and the fact was that it could also be exploited in the same way in Office," said Smith. "So the fact that it wasn't picked up is incredibly surprising to me, considering all the different attack vectors that were available."

Secrecy was key to keeping hackers at bay. "It wasn't public knowledge that [the ATL bug] could be exploited through Office," said Smith. "We tried hard to keep that quiet."

Microsoft also issued a special "kill bit" update Tuesday to disable 15 different ActiveX controls created with the flawed ATL code. The company often sets the kill bits of vulnerable ActiveX controls as a protective measure in lieu of a patch, or as a stop-gap until a patch is available. Among the 15 ActiveX controls, all built by Microsoft for use in IE, were ones called on by its Windows Live Mail, Windows Live Messenger, MSN Photo Upload Tool and Office.

Smith said he expected that Microsoft will eventually patch some, if not all, of the disabled ActiveX controls.

Microsoft delivered the ATL patches for Office yesterday at 1 p.m. ET via its Microsoft Update and Windows Update services, as well as through the enterprise-grade Windows Server Update Services (WSUS).

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftbugsatl bugs

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?