Security Advisory

Microsoft Security Advisory 973882

Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution

Published: July 28, 2009 | Updated: October 13, 2009

Version: 4.0

Microsoft is releasing this security advisory to provide information about our ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL). This advisory also provides guidance as to what developers can do to help ensure that the controls and components they have built are not vulnerable to the ATL issues; what IT Professionals and consumers can do to mitigate potential attacks that use the vulnerabilities; and what Microsoft is doing as part of its ongoing investigation into the issue described in this advisory. This security advisory will also provide a comprehensive listing of all Microsoft Security Bulletins and Security Updates related to the vulnerabilities in ATL. Microsoft's investigation into the private and public versions of ATL is ongoing, and we will release security updates and guidance as appropriate as part of the investigation process.

Microsoft is aware of security vulnerabilities in the public and private versions of ATL. The Microsoft ATL is used by software developers to create controls or components for the Windows platform. The vulnerabilities described in this Security Advisory and Microsoft Security Bulletin MS09-035 could result in information disclosure or remote code execution attacks for controls and components built using vulnerable versions of the ATL. Components and controls created with the vulnerable version of ATL may be exposed to a vulnerable condition due to how ATL is used or due to issues in the ATL code itself.

Developer Guidance: Microsoft has corrected the issues in the public headers of ATL and released updates to the libraries in bulletin MS09-035 "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution." Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable. For more information on the vulnerabilities and guidance to address issues in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

IT Professional and Consumer Guidance: To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and Microsoft Security Bulletin MS09-035. To benefit from this new defense-in-depth technology, IT Professionals and consumers should immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer."

This security update includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense-in-depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. These defense-in-depth protections monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX's kill bit security feature. These protections are designed to help protect customers from Web-based attacks.

Home User Guidance: To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer with the new update helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and Microsoft Security Bulletin MS09-035. Home users signed up for Automatic Updates will receive the new Internet Explorer update automatically and do not have to take any further action. Home Users will automatically be better protected from future attacks against the vulnerabilities addressed in this Security Advisory and in Microsoft Security Bulletin MS09-035.

Mitigating Factors for Controls and Components built using vulnerable version of Microsoft's Active Template Library (ATL):

  • By default, the majority of ActiveX controls are not included in the default allow-list for ActiveX controls in Internet Explorer 7 or Internet Explorer 8 running on Windows Vista or later operating systems. Only customers who have explicitly approved vulnerable controls by using the ActiveX opt-in feature are at risk to attempts to exploit this vulnerability. However, if a customer has used such ActiveX controls in a previous version of Internet Explorer, and then later upgraded to Internet Explorer 7 or Internet Explorer 8, then these ActiveX controls are enabled to work in Internet Explorer 7 and Internet Explorer 8, even if the customer has not explicitly approved it using the ActiveX opt-in feature.
  • By default, Internet Explorer 8 offers enhanced protections by enabling DEP/NX memory protections for users on Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows 7.
  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
  • By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Updates related to ATL:

Update released on October 13, 2009

  • Microsoft Security Bulletin MS09-060, "Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution," provides support for Microsoft Office components that are affected by the ATL vulnerabilities described in this advisory.

Updates released on August 25, 2009

  • Windows Live Messenger 14.0.8089 is being released to address vulnerabilities in the Windows Live Messenger client that are related to the ATL vulnerabilities described in this advisory.
  • A Frequently Asked Questions about Windows Live Components section has been added to this advisory to communicate the removal of the Windows Live Hotmail "Attach Photo" feature and to provide details about the Windows Live Messenger 14.0.8089 release.

Updates released on August 11, 2009

  • Microsoft Security Bulletin MS09-037, "Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution," provides support for Windows components that are affected by the ATL vulnerabilities described in this advisory.
  • Microsoft Security Bulletin MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution," is being rereleased to offer new updates for developers who use Visual Studio to create components and controls for mobile applications using ATL for Smart Devices.

Updates released on July 28, 2009

  • Microsoft Security Bulletin MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution," goes into further detail about the specific vulnerabilities in ATL and provides the updated public ATL headers for vendors to develop updated components and controls. Our investigation has shown that there are Microsoft and third-party components and controls that are affected by this issue and that these components and controls exist on all supported editions of Windows 2000 Service Pack 4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Developers who used vulnerable versions of the ATL when building controls or components should review this bulletin and take immediate action if their controls are vulnerable.
  • Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer," includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. These defense-in-depth protections monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX's kill bit security feature. These protections are designed to help protect customers from Web-based attacks.
  • We are not aware of any methods or controls included with Windows 7 that would allow attacks to be successful through Internet Explorer.

Update released on July 14, 2009

  • Microsoft Security Bulletin MS09-032, "Cumulative Security Update of ActiveX Kill Bits," provided ActiveX security measures (a kill bit) that prevented the msvidctl control from running in Internet Explorer. The exploit in msvidcntl took advantage of a vulnerability in the private version of ATL. In this specific instance, the vulnerability allows an attacker to corrupt memory, which may lead to a remote code execution. The kill bits issued in the June release for msvidctl (MS09-032) will block the public exploits as described here.

General Information

Overview

Purpose of Advisory: This advisory was released to provide customers with initial notification of the publicly disclosed vulnerability. For more information, see the Workarounds, Mitigating Factors, and Suggested Actions sections of this security advisory.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification
CVE Reference CVE-2009-0901\ CVE-2009-2493\ CVE-2009-2495\ CVE-2008-0015
Security Bulletin MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution"\ \ MS09-034, "Cumulative Security Update for Internet Explorer"\ \ MS09-032, "Cumulative Security Update of ActiveX Kill Bits"
Microsoft Knowledge Base Article MS09-035:\ Microsoft Knowledge Base Article 969706\ \ MS09-034:\ Microsoft Knowledge Base Article 972260\ \ MS09-032:\ Microsoft Knowledge Base Article 973346

This advisory discusses the following software.

Affected Software
Microsoft Windows
Controls and components created using vulnerable Active Template Library
Microsoft Live Services
Windows Live Messenger (versions less than 14.0.8089)
Windows Live Hotmail "Attach Photo" feature

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of vulnerabilities affecting components and controls built using public and private versions of the Active Template Library (ATL). The advisory aims to make users aware of updates that help mitigate the risk of vulnerable controls and components, provide guidance and direction to developers who have built controls and components using the vulnerable ATL, and to IT professionals on how to protect and install mitigations in their environment.

Will Microsoft release additional security updates related to this Security Advisory in the future?
Microsoft's investigation into the private and public headers of ATL is ongoing and we will release security updates and guidance as appropriate as part of the investigation process.

Was the msvidctl vulnerability (MS09-032) related to this ATL update?
Yes, the exploit in msvidctl took advantage of a vulnerability in the private version of ATL. In this specific instance, the vulnerability allows an attacker to corrupt memory, which may lead to a remote code execution. MS09-032, previously issued in the July 14 release, blocks known attacks for msvidctl. For more information on the exploit in msvidctl, see https://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx.

Will the Internet Explorer update (ms09-034) also protect against msvidctl attacks?
Yes, the Internet Explorer mitigations will protect against the exploitation of the known vulnerabilities in the public and private versions of ATL, including the msvidctl attacks.

What is ATL?
The Active Template Library (ATL) is a set of template-based C++ classes that lets you create small, fast Component Object Model (COM) objects. ATL has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls. For more information, see the MSDN article, ATL.

What causes this threat in ATL?
The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. For more information on the vulnerabilities addressed in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

What are the differences between the public and private versions of the Active Template Library?
The private version of the Active Template Library is used by Microsoft developers to build controls and components. Microsoft has updated all versions of the Active Template Library used by our developers.

The public version of the Active Template Library is distributed to customers through developer tools, such as Microsoft Visual Studio. Microsoft is providing an updated version of our public ATL through Microsoft Security Bulletin MS09-035.

Will the security vulnerabilities in ATL require Microsoft and third-party developers to issue security updates?
Yes. In addition to the bulletin updates described in this advisory, Microsoft is performing a comprehensive investigation of Microsoft controls and components. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-band security update, depending on customer needs.

Microsoft is also providing guidance and is actively contacting major third-party developers to help them identify vulnerable controls and components. This may result in security updates for third party controls and components.

Frequently Asked Questions about Windows Live Services

How will the upgrade to Windows Live Messenger be distributed?
Upon signing on to Windows Live Messenger service, users of Windows Live Messenger 8.1, Windows Live Messenger 8.5, and Windows Live Messenger 14.0 on supported releases of Windows will be prompted by the client deployment mechanism in the Windows Live Messenger service to accept the upgrade to Windows Live Messenger 14.0.8089. Also, users who desire to download the upgrade to Windows Live Messenger 14.0.8089 immediately may do so by using the Windows Live Download Center. Otherwise, users of vulnerable versions of the Windows Live Messenger clients may not be allowed to connect to the Windows Live Messenger service.

Why is Microsoft releasing the upgrade to Windows Live Messenger over the Windows Live Messenger service as well as providing downloads?
Microsoft currently issues upgrades for the Windows Live Messenger client using the Windows Live Messenger service because these online services have their own client deployment mechanism. However, Microsoft Download Center links are also available for specific Windows Live Messenger clients. Users who desire to download the upgrades immediately may do so at the Windows Live Download Center.

If this is an upgrade, how can I detect if I have a vulnerable version of Windows Live Messenger?
When you attempt to sign on to the Windows Live Messenger service, the client deployment mechanism will automatically determine your current client version and platform and if required, recommend the appropriate upgrade. Also, you may verify your Windows Live Messenger client version by clicking Help and then About.

What happens if I do not upgrade to the most current version of Windows Live Messenger?
If you do not upgrade to a non-affected version of the Windows Live Messenger client, depending on your platform, you will be notified to upgrade on each attempt to sign on. If you do not accept the upgrade, you may not be allowed access to Windows Live Messenger service.

Are other Microsoft Real-Time Collaboration applications, like Windows Messenger or Office Communicator, affected by this vulnerability?
No. Other messaging applications are not affected as they do not contain the vulnerable component.

When did Microsoft remove the Windows Live Hotmail "Attach Photo" feature? Did it coincide with the launch of another new feature?
Microsoft recently made the decision to remove the feature on a short-term basis in order to fix the issue. The temporary removal of this feature did not coincide with the launch of another feature.

What is latest timetable for the "Attach Photo" feature to be fully restored to all Windows Live Hotmail users?
Microsoft is actively working to correct the problem. In the meantime, you are still able to add pictures as attachments to your Hotmail messages by clicking Attach, and then selecting the picture you want to include.

Frequently Asked Questions from Developers about the Visual Studio Update

What causes this threat in ATL?
The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. For more information on the vulnerabilities addressed in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

What might an attacker use this vulnerability to do?
For controls and components built using ATL, unsafe usage of certain macros could allow the instantiation of arbitrary objects that can bypass related ActiveX security policy (i.e. kill bits) within Internet Explorer. Additionally, components and controls built using the vulnerable version of ATL may be vulnerable to remote code execution or information disclosure threats. If a user is logged on with administrative user rights, and they have a vulnerable control on their system, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

I am a third-party application developer and I use ATL in my component or control. Is my component or control vulnerable, and if so, how do I update it?
Components and controls may be affected by this issue if certain conditions are met during the building of the component or control. MS09-035 contains additional information, examples, and guidance that third-party developers can use to detect and correct vulnerable components and controls.

What does the Security Update for Visual Studio do?
These updates address vulnerabilities in the Microsoft Active Template Library (ATL) that could allow a remote, unauthenticated user to run arbitrary code on an affected system. These vulnerabilities are in some cases caused by the way that ATL is used, and in other cases by the ATL code itself. Since these vulnerabilities affect ATL, components or controls that were developed using ATL may expose customers using the affected controls and components to remote code execution scenarios.

The security update for Visual Studio updates the vulnerable version of the ATL used by Visual Studio. This allows Visual Studio users to modify and re-build their controls and components using an updated version of the ATL.

Our investigation has shown that both Microsoft and third-party components and controls may be affected by this issue. Therefore, all affected vendors must modify, and rebuild, their components and controls using the corrected ATL provided in Microsoft Security Bulletin MS09-035.

Frequently Asked Questions from IT Professionals about what they can do to protect themselves

Does the IE update MS09-034 protect me from all components and controls that were built on the vulnerable version of ATL?
To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and in Microsoft Security Bulletin MS09-035. Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer," includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities.

Microsoft is continuing to investigate all Microsoft controls and components and is helping third party developers evaluate their controls and components.

What action can an IT professional take to mitigate exposure to this issue?
Microsoft strongly recommends that IT professionals immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer."

Frequently Asked Questions about what Consumers can do to protect themselves

What action can consumers take to mitigate exposure to this issue?
To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and in Microsoft Security Bulletin MS09-035. Microsoft strongly recommends that consumers turn on Automatic Update and immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer." Home users who receive updates automatically will receive the mitigations provided in the cumulative IE update and other security updates related to this issue, and do not have to take further action.

Microsoft also encourages Home users to upgrade to Internet Explorer 8 to benefit from enhanced security and protections.

Frequently asked Questions about the mitigations in Internet Explorer Update

What causes this threat which could allow the bypass of ActiveX security?
ActiveX controls built with vulnerable ATL methods may not correctly validate information. This could result in an ActiveX control that allows memory corruption, or allows an attacker to leverage a trusted ActiveX control to load an un-trusted ActiveX control that had been previously blocked from running in Internet Explorer.

The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8, that monitor and prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing the IE kill bit security feature. These protections are designed to protect customers from Web-based attacks.

What might an attacker use this function to do?
An attacker who successfully exploited this vulnerability on Windows Vista or Windows 2008 would only gain rights as a restricted user due to Protect Mode in Internet Explorer. On other Windows systems, the attacker could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an Attacker use this function?
An attacker could host a Web site that is designed to host a specially crafted ActiveX control and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an instant messenger request that takes users to the attacker's Web site.

What is a kill bit?
A security feature in Microsoft Internet Explorer makes it possible to prevent an ActiveX control from being loaded by the Internet Explorer HTML-rendering engine. This is done by making a registry setting and is referred to as "setting the kill bit." After the kill bit is set, the control can never be loaded, even when it is fully installed. Setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless.

For more information on kill bits, see Microsoft Knowledge Base Article 240797: How to stop an ActiveX control from running in Internet Explorer. For more detailed information on kill bits and how they function within Internet Explorer see the following Security Research and Defense blog post.

What does the update do?
The update strengthens the ActiveX security mechanism by providing validation when unsafe methods are used by ActiveX controls using vulnerable ATL headers in specific configurations.

Does this update change functionality?
Yes. This update no longer allows specific sets of ATL methods to run within Internet Explorer. The update mitigates the risk of bypassing active security by preventing trusted ActiveX controls from loading un-trusted controls

Does this update contain additional software changes?
Yes. This update also contains additional security fixes and other updates to Internet Explorer as part of the cumulative update for Internet Explorer.

Does this update address all unsafe ActiveX control scenarios?
No. This update specifically addresses unsafe/un-trusted ActiveX controls that may be vulnerable to the ATL issues described in this Advisory to protect customers from attack when browsing the Internet.

Microsoft is continuing to investigate this issue. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-band security update, depending on customer needs.

How does Protected Mode in Internet Explorer 7 and Internet Explorer 8 on Windows Vista and later protect me from this vulnerability?
Internet Explorer 7 and Internet Explorer 8 on Windows Vista and later operating systems run in Protected Mode by default in the Internet security zone. Protected Mode significantly reduces the ability of an attacker to write, alter, or destroy data on the user’s machine or to install malicious code. This is accomplished by using the integrity mechanisms of Windows Vista and later, which restrict access to processes, files, and registry keys with higher integrity levels.

What is Data Execution Prevention (DEP)?
Data Execution Prevention (DEP) is enabled by default in Internet Explorer 8. DEP is designed to help foil attacks by preventing code from running in memory that is marked non-executable. For more information about DEP in Internet Explorer, please see the following post: https://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx.

Suggested Actions

  • Review the Microsoft Knowledge Base Article that is associated with this advisory

    Customers who are interested in learning more about the ATL issues should review Microsoft Knowledge Base Article 973882.

  • Apply the updates associated with security bulletins MS09-034 and MS09-035

    Customers with affected systems can download the updates from Microsoft Knowledge Base Article 969706 and from Microsoft Knowledge Base Article 972260. The Internet Explorer update provides new mitigations that prevent the instantiation of vulnerable ActiveX controls within Internet Explorer 7 and 8. The Visual Studio update allows developers to create ActiveX controls that are not affect by these vulnerabilities.

  • Protect Your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

  • For more information about staying safe on the Internet, customers should visit Microsoft Security Central.

  • Keep Windows Updated

    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Workarounds

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of Workaround: There are side effects to prompting before running ActiveX controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone”.

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To accomplish this, follow these steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Internet, and then click Custom Level.
  4. Under Settings, in the Scripting section, under Active Scripting, click Promptor Disable, and then click OK.
  5. Click Local intranet, and then click Custom Level.
  6. Under Settings, in the Scripting section, under Active Scripting, click Promptor Disable, and then click OK.
  7. Click OK two times to return to Internet Explorer.

Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To accomplish this, follow these steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Other Information

Resources:

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (July 28, 2009): Advisory published.
  • V2.0 (August 11, 2009): Advisory revised to add entries in the Updates related to ATL section to communicate the release of Microsoft Security Bulletin MS09-037, "Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution," and the rerelease of Microsoft Security Bulletin MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution," to offer additional updates.
  • V3.0 (August 25, 2009): Advisory revised to provide details about the Windows Live Messenger 14.0.8089 release and to communicate the removal of the Windows Live Hotmail "Attach Photo" feature.
  • V4.0 (October 13, 2009): Advisory revised to add an entry in the Updates related to ATL section to communicate the release of Microsoft Security Bulletin MS09-060, "Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution."

Built at 2014-04-18T13:49:36Z-07:00