October 14, 2009, 9:11 PM — Microsoft yesterday wrapped up a months-long job of patching a critical bug it accidently introduced in a crucial code "library," one of the researchers who uncovered the flaw said today.
"They finally released the last patch of Microsoft products yesterday, at least the last for the big attack vectors," said Ryan Smith, the principal research scientist for the Denver-based security consultant company Accuvant. "The patches for [Microsoft] Office closed the last big attack vector for the ATL flaw."
Smith and researchers Mark Dowd and David Dewey, who work for IBM Internet Security Systems' X-Force team, uncovered the bug and first publicly demonstrated how it could be used to attack PCs using Internet Explorer (IE) last July at the Black Hat security conference. Microsoft convinced the trio to stop publicly disclosing their findings until it was able to rush users a pair of emergency updates , which it delivered the day before the Smith-Dowd-Dewey Black Hat presentation.
The same day it delivered the out-of-band updates, Microsoft also acknowledged that an extraneous "&" character in its Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software, was the root of the bug Smith, Dowd and Dewey discovered.
To fix the flaw, Microsoft was forced to patch its popular Visual Studio development platform, then urged third-party software companies to recompile any applications or code created with the buggy ATL. Microsoft also rooted through its own software for ATL-related bugs, and patched five vulnerabilities in August. At the time, security experts called the ATL-bug update, MS09-037, "awful" and "a handful."
Yesterday, as part of a record-setting security update , Microsoft patched three ATL-related bugs in its Office suite. Smith was credited with reporting two of the three vulnerabilities, while Dewey was named for the third.
"I think this is the end of it for Microsoft," said Smith today, adding that the Office ATL flaws were the only remaining vulnerabilities that he, Dowd and Dewey had uncovered last summer.
All the same, Smith said he was shocked that attackers didn't take advantage of the ATL vulnerabilities before they were patched.
"The original proof of concept was probably the easiest way at the time to exploit a Web browser, and the fact was that it could also be exploited in the same way in Office," said Smith. "So the fact that it wasn't picked up is incredibly surprising to me, considering all the different attack vectors that were available."
Secrecy was key to keeping hackers at bay. "It wasn't public knowledge that [the ATL bug] could be exploited through Office," said Smith. "We tried hard to keep that quiet."
Microsoft also issued a special "kill bit" update Tuesday to disable 15 different ActiveX controls created with the flawed ATL code. The company often sets the kill bits of vulnerable ActiveX controls as a protective measure in lieu of a patch, or as a stop-gap until a patch is available. Among the 15 ActiveX controls, all built by Microsoft for use in IE, were ones called on by its Windows Live Mail, Windows Live Messenger, MSN Photo Upload Tool and Office.
Smith said he expected that Microsoft will eventually patch some, if not all, of the disabled ActiveX controls.
Microsoft delivered the ATL patches for Office yesterday at 1 p.m. ET via its Microsoft Update and Windows Update services, as well as through the enterprise-grade Windows Server Update Services (WSUS).
