Microsoft Security Advisory (973882)

Purpose of Advisory: This advisory was released to provide customers with initial notification of the publicly disclosed vulnerability. For more information, see the Workarounds, Mitigating Factors, and Suggested Actions sections of this security advisory.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

This advisory discusses the following software.

What is the scope of the advisory?
Microsoft is aware of vulnerabilities affecting components and controls built using public and private versions of the Active Template Library (ATL). The advisory aims to make users aware of updates that help mitigate the risk of vulnerable controls and components, provide guidance and direction to developers who have built controls and components using the vulnerable ATL, and to IT professionals on how to protect and install mitigations in their environment.

Will Microsoft release additional security updates related to this Security Advisory in the future?
Microsoft's investigation into the private and public headers of ATL is ongoing and we will release security updates and guidance as appropriate as part of the investigation process.

Was the msvidctl vulnerability (MS09-032) related to this ATL update?
Yes, the exploit in msvidctl took advantage of a vulnerability in the private version of ATL. In this specific instance, the vulnerability allows an attacker to corrupt memory, which may lead to a remote code execution. MS09-032, previously issued in the July 14 release, blocks known attacks for msvidctl. For more information on the exploit in msvidctl, see http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx.

Will the Internet Explorer update (ms09-034) also protect against msvidctl attacks?
Yes, the Internet Explorer mitigations will protect against the exploitation of the known vulnerabilities in the public and private versions of ATL, including the msvidctl attacks.

What is ATL?
The Active Template Library (ATL) is a set of template-based C++ classes that lets you create small, fast Component Object Model (COM) objects. ATL has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls. For more information, see the MSDN article, ATL.

What causes this threat in ATL?
The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. For more information on the vulnerabilities addressed in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

What are the differences between the public and private versions of the Active Template Library?
The private version of the Active Template Library is used by Microsoft developers to build controls and components. Microsoft has updated all versions of the Active Template Library used by our developers.

The public version of the Active Template Library is distributed to customers through developer tools, such as Microsoft Visual Studio. Microsoft is providing an updated version of our public ATL through Microsoft Security Bulletin MS09-035.

Will the security vulnerabilities in ATL require Microsoft and third-party developers to issue security updates?
Yes. In addition to the bulletin updates described in this advisory, Microsoft is performing a comprehensive investigation of Microsoft controls and components. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-band security update, depending on customer needs.

Microsoft is also providing guidance and is actively contacting major third-party developers to help them identify vulnerable controls and components. This may result in security updates for third party controls and components.

How will the upgrade to Windows Live Messenger be distributed?
Upon signing on to Windows Live Messenger service, users of Windows Live Messenger 8.1, Windows Live Messenger 8.5, and Windows Live Messenger 14.0 on supported releases of Windows will be prompted by the client deployment mechanism in the Windows Live Messenger service to accept the upgrade to Windows Live Messenger 14.0.8089. Also, users who desire to download the upgrade to Windows Live Messenger 14.0.8089 immediately may do so by using the Windows Live Download Center. Otherwise, users of vulnerable versions of the Windows Live Messenger clients may not be allowed to connect to the Windows Live Messenger service.

Why is Microsoft releasing the upgrade to Windows Live Messenger over the Windows Live Messenger service as well as providing downloads?
Microsoft currently issues upgrades for the Windows Live Messenger client using the Windows Live Messenger service because these online services have their own client deployment mechanism. However, Microsoft Download Center links are also available for specific Windows Live Messenger clients. Users who desire to download the upgrades immediately may do so at the Windows Live Download Center.

If this is an upgrade, how can I detect if I have a vulnerable version of Windows Live Messenger? 
When you attempt to sign on to the Windows Live Messenger service, the client deployment mechanism will automatically determine your current client version and platform and if required, recommend the appropriate upgrade. Also, you may verify your Windows Live Messenger client version by clicking Help and then About.

What happens if I do not upgrade to the most current version of Windows Live Messenger?
If you do not upgrade to a non-affected version of the Windows Live Messenger client, depending on your platform, you will be notified to upgrade on each attempt to sign on. If you do not accept the upgrade, you may not be allowed access to Windows Live Messenger service.

Are other Microsoft Real-Time Collaboration applications, like Windows Messenger or Office Communicator, affected by this vulnerability?
No. Other messaging applications are not affected as they do not contain the vulnerable component.

When did Microsoft remove the Windows Live Hotmail "Attach Photo" feature? Did it coincide with the launch of another new feature?
Microsoft recently made the decision to remove the feature on a short-term basis in order to fix the issue. The temporary removal of this feature did not coincide with the launch of another feature.

What is latest timetable for the "Attach Photo" feature to be fully restored to all Windows Live Hotmail users?
Microsoft is actively working to correct the problem. In the meantime, you are still able to add pictures as attachments to your Hotmail messages by clicking Attach, and then selecting the picture you want to include.

What causes this threat in ATL?
The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. For more information on the vulnerabilities addressed in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

What might an attacker use this vulnerability to do?
For controls and components built using ATL, unsafe usage of certain macros could allow the instantiation of arbitrary objects that can bypass related ActiveX security policy (i.e. kill bits) within Internet Explorer. Additionally, components and controls built using the vulnerable version of ATL may be vulnerable to remote code execution or information disclosure threats. If a user is logged on with administrative user rights, and they have a vulnerable control on their system, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

I am a third-party application developer and I use ATL in my component or control. Is my component or control vulnerable, and if so, how do I update it? 
Components and controls may be affected by this issue if certain conditions are met during the building of the component or control. MS09-035 contains additional information, examples, and guidance that third-party developers can use to detect and correct vulnerable components and controls.

What does the Security Update for Visual Studio do?
These updates address vulnerabilities in the Microsoft Active Template Library (ATL) that could allow a remote, unauthenticated user to run arbitrary code on an affected system. These vulnerabilities are in some cases caused by the way that ATL is used, and in other cases by the ATL code itself. Since these vulnerabilities affect ATL, components or controls that were developed using ATL may expose customers using the affected controls and components to remote code execution scenarios.

The security update for Visual Studio updates the vulnerable version of the ATL used by Visual Studio. This allows Visual Studio users to modify and re-build their controls and components using an updated version of the ATL.

Our investigation has shown that both Microsoft and third-party components and controls may be affected by this issue. Therefore, all affected vendors must modify, and rebuild, their components and controls using the corrected ATL provided in Microsoft Security Bulletin MS09-035.

Does the IE update MS09-034 protect me from all components and controls that were built on the vulnerable version of ATL?
To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and in Microsoft Security Bulletin MS09-035. Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer," includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities.

Microsoft is continuing to investigate all Microsoft controls and components and is helping third party developers evaluate their controls and components.

What action can an IT professional take to mitigate exposure to this issue?
Microsoft strongly recommends that IT professionals immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer."

What action can consumers take to mitigate exposure to this issue?
To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and in Microsoft Security Bulletin MS09-035. Microsoft strongly recommends that consumers turn on Automatic Update and immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer." Home users who receive updates automatically will receive the mitigations provided in the cumulative IE update and other security updates related to this issue, and do not have to take further action.

Microsoft also encourages Home users to upgrade to Internet Explorer 8 to benefit from enhanced security and protections.

What causes this threat which could allow the bypass of ActiveX security?
ActiveX controls built with vulnerable ATL methods may not correctly validate information. This could result in an ActiveX control that allows memory corruption, or allows an attacker to leverage a trusted ActiveX control to load an un-trusted ActiveX control that had been previously blocked from running in Internet Explorer.

The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8, that monitor and prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing the IE kill bit security feature. These protections are designed to protect customers from Web-based attacks.

What might an attacker use this function to do?
An attacker who successfully exploited this vulnerability on Windows Vista or Windows 2008 would only gain rights as a restricted user due to Protect Mode in Internet Explorer. On other Windows systems, the attacker could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an Attacker use this function?
An attacker could host a Web site that is designed to host a specially crafted ActiveX control and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an instant messenger request that takes users to the attacker's Web site.

What is a kill bit?
A security feature in Microsoft Internet Explorer makes it possible to prevent an ActiveX control from being loaded by the Internet Explorer HTML-rendering engine. This is done by making a registry setting and is referred to as "setting the kill bit." After the kill bit is set, the control can never be loaded, even when it is fully installed. Setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless.

For more information on kill bits, see Microsoft Knowledge Base Article 240797: How to stop an ActiveX control from running in Internet Explorer. For more detailed information on kill bits and how they function within Internet Explorer see the following Security Research and Defense blog post.

What does the update do?
The update strengthens the ActiveX security mechanism by providing validation when unsafe methods are used by ActiveX controls using vulnerable ATL headers in specific configurations.

Does this update change functionality?
Yes. This update no longer allows specific sets of ATL methods to run within Internet Explorer. The update mitigates the risk of bypassing active security by preventing trusted ActiveX controls from loading un-trusted controls

Does this update contain additional software changes?
Yes. This update also contains additional security fixes and other updates to Internet Explorer as part of the cumulative update for Internet Explorer.

Does this update address all unsafe ActiveX control scenarios?
No. This update specifically addresses unsafe/un-trusted ActiveX controls that may be vulnerable to the ATL issues described in this Advisory to protect customers from attack when browsing the Internet.

Microsoft is continuing to investigate this issue. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-band security update, depending on customer needs.

How does Protected Mode in Internet Explorer 7 and Internet Explorer 8 on Windows Vista and later protect me from this vulnerability?
Internet Explorer 7 and Internet Explorer 8 on Windows Vista and later operating systems run in Protected Mode by default in the Internet security zone. Protected Mode significantly reduces the ability of an attacker to write, alter, or destroy data on the user’s machine or to install malicious code. This is accomplished by using the integrity mechanisms of Windows Vista and later, which restrict access to processes, files, and registry keys with higher integrity levels.

What is Data Execution Prevention (DEP)?
Data Execution Prevention (DEP) is enabled by default in Internet Explorer 8. DEP is designed to help foil attacks by preventing code from running in memory that is marked non-executable. For more information about DEP in Internet Explorer, please see the following post: http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx.

• Review the Microsoft Knowledge Base Article that is associated with this advisory
  
  Customers who are interested in learning more about the ATL issues should review Microsoft Knowledge Base Article 973882.
• Apply the updates associated with security bulletins MS09-034 and MS09-035
  
  Customers with affected systems can download the updates from Microsoft Knowledge Base Article 969706 and from Microsoft Knowledge Base Article 972260. The Internet Explorer update provides new mitigations that prevent the instantiation of vulnerable ActiveX controls within Internet Explorer 7 and 8. The Visual Studio update allows developers to create ActiveX controls that are not affect by these vulnerabilities.
• Protect Your PC
  
  We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.
• For more information about staying safe on the Internet, customers should visit Microsoft Security Central.
• Keep Windows Updated
  
  All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.