MS09-035 Zero Day bug
-
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx[^] We are struggling with how we advise our customers about this issue as we have active-x components in our product. Here’s a Washington Post article giving some back ground from an independent source: http://voices.washingtonpost.com/securityfix/2009/07/microsofts_emergency_patch_mes.html?wprss=securityfix[^] The corrective solution is apply the emergency security patches that Microsoft release for Visual Studio and recompile/re-distribute code to our customers. This also involves installation of new runtime support for Visual Studio code. It looks like none of the components we produced are vulnerable, however one component in a third party library that we use looks like it might be. We have source to the third party library and can recompile it. These components are not typically used with a browser so we think it would take some form social engineering attack to use them as a attack vector. But given an exploitable flaw we are holding up a release to get this update into it. Questions? 1. Do you think the C++ runtimes are vulnerable. I.E. All old applications should be updated so the old C++ run time redistributables can be removed from the environment? 2. How big of an emergency notice should we send out to our customers? Is this potentially a mini Y2K? 3. Does this problem potentionally affect customers of code developed with Visual Studio 97?
-
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx[^] We are struggling with how we advise our customers about this issue as we have active-x components in our product. Here’s a Washington Post article giving some back ground from an independent source: http://voices.washingtonpost.com/securityfix/2009/07/microsofts_emergency_patch_mes.html?wprss=securityfix[^] The corrective solution is apply the emergency security patches that Microsoft release for Visual Studio and recompile/re-distribute code to our customers. This also involves installation of new runtime support for Visual Studio code. It looks like none of the components we produced are vulnerable, however one component in a third party library that we use looks like it might be. We have source to the third party library and can recompile it. These components are not typically used with a browser so we think it would take some form social engineering attack to use them as a attack vector. But given an exploitable flaw we are holding up a release to get this update into it. Questions? 1. Do you think the C++ runtimes are vulnerable. I.E. All old applications should be updated so the old C++ run time redistributables can be removed from the environment? 2. How big of an emergency notice should we send out to our customers? Is this potentially a mini Y2K? 3. Does this problem potentionally affect customers of code developed with Visual Studio 97?
Hi Fred, I can give you some feedback but you should not consider this as security advice.
fredsparkle wrote:
1. Do you think the C++ runtimes are vulnerable. I.E. All old applications should be updated so the old C++ run time redistributables can be removed from the environment?
No, my understanding is that MS09-035 only effects components built with ATL. You can use this graph to determine if your component is effected. Active Template Library Security Update for Developers[^]
fredsparkle wrote:
2. How big of an emergency notice should we send out to our customers? Is this potentially a mini Y2K?
If your customers are using your ActiveX components in an internet browser and/or your components are marked as safe for scripting then I would consider this a critical situation.
fredsparkle wrote:
3. Does this problem potentionally affect customers of code developed with Visual Studio 97?
My understanding is that this flaw was introduced in Visual Studio 2003 SP1. The flaw exists in the ATL source code distributed with this update. I do not believe Visual Studio 97 is effected. More information: Security Bulletin Webcast Q&A - OOB July 2009[^] I would recommend calling Microsoft customer support services at 1-866-PCSAFETY. Microsoft does not charge for security related issues. Best Wishes, -David Delaune
-
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx[^] We are struggling with how we advise our customers about this issue as we have active-x components in our product. Here’s a Washington Post article giving some back ground from an independent source: http://voices.washingtonpost.com/securityfix/2009/07/microsofts_emergency_patch_mes.html?wprss=securityfix[^] The corrective solution is apply the emergency security patches that Microsoft release for Visual Studio and recompile/re-distribute code to our customers. This also involves installation of new runtime support for Visual Studio code. It looks like none of the components we produced are vulnerable, however one component in a third party library that we use looks like it might be. We have source to the third party library and can recompile it. These components are not typically used with a browser so we think it would take some form social engineering attack to use them as a attack vector. But given an exploitable flaw we are holding up a release to get this update into it. Questions? 1. Do you think the C++ runtimes are vulnerable. I.E. All old applications should be updated so the old C++ run time redistributables can be removed from the environment? 2. How big of an emergency notice should we send out to our customers? Is this potentially a mini Y2K? 3. Does this problem potentionally affect customers of code developed with Visual Studio 97?
Like many well publicized vulnerabilities, this one is actually rather narrow in the risk. Your application may not even be affected. The following blog clarifies this a little: http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx[^] This isn't remotely close to a mini Y2K (which was also overhyped) and anyone keeping their systems up-to-date have little to fear. Those who don't have FAR worse vulnerabilities to worry about.