Urgent Security Update for ActiveX Component Ahead of Black Hat

When was the last time you heard about a Linux security vulnerability that was not fixed for more than a year? This article talks about how Microsoft has ineffectively handled a significant vulnerability present in all versions of Windows, and only with Black Hat coming are they finally addressing it.On Tuesday, Microsoft will slap a permanent patch on a video streaming ActiveX control used by Internet Explorer (IE), addressing a vulnerability that it has known about, but not fixed, for more than a year. Two weeks ago, Microsoft issued a "kill bit" update that, rather than address the underlying problem, disabled the ActiveX control to stymie attacks that were already in progress. It's also slated a fix for Visual Studio, Microsoft's popular development platform.

Although Microsoft has not spelled out exactly what it will patch with the two "out-of-band" updates, the term for security updates released outside the company's once-a-month schedule, earlier this month researchers pointed fingers at the Active Template Library (ATL), a code "library" used not only by Microsoft's own developers, but also by third-party software programmers to access some features within Windows.

Two German researchers; Thomas Dullien, the CEO and head of research at Zynamics GmbH, and Dennis Elser -- dug into the bug within the ActiveX control, the "msvidctl.dll" file, that streams video content. They found that it stemmed from a simple programming mistake in a function called "ATL::CComVariant::ReadFromStream."

The link for this article located at CSO Online is no longer available.