Today saw Microsoft release an out of band update for Visual Studio correcting a vulnerability in the Active Template Library. Any control which has been compiled with previous versions of ATL may allow remote code execution and must be recompiled and a corrected version distributed as soon as possible. This vulnerability affects Visual Studio 2003, 2005 and 2008. Microsoft have a dedicated page to the problem on the Microsoft Security site.

The Security Research and Defense blog also has an overview of the release along with a great list of further resources:

  • MS09-034: Internet Explorer bulletin
  • MS09-035: Visual Studio bulletin
  • Security Advisory (KB973882)
  • Resource article, Active Template Library security update and developers
  • SRD blog, ATL vulnerability developer deep dive
  • SRD blog, Internet Explorer Mitigations for ATL Data Stream Vulnerabilities
  • SRD blog, MSVIDCTL (MS09-032) and the ATL vulnerability
  • SRD blog, Overview of the out-of-band release (this blog post)
  • SDL blog, ATL, MS09-035 and the SDL
  • MSRC blog, Advisory and Bulletins Released
  • BlueHat blog, Security researcher perspective
  • EcoStrat blog, Threat Complexity Requires New Levels of Collaboration
  • Channel 9 video, "Inside the ATL Security Update" developer guidance.
  • Consumers should install the patch delivered with MS09-034 to protect themselves. It will be delivered automatically to your computer if you have automatic updates turned on - if you don’t have them turned on or you’re not sure Microsoft provide instructions on how to configure automatic updates.

    If you’re a developer you have a lot of reading ahead. If your company has shipped a control which you cannot fix, or whose lifetime has long since passed then please consider contacting the SRD folks so they can issue a kill-bit and disable your control for end-users. You can find the email address at the end of the SRD blog post.

    Technorati Tags: ,,,