Microsoft Rushes Clutch Patch for 'Deep' Bug in Windows

    Date27 Jul 2009
    CategoryHacks/Cracks
    3995
    Posted ByDave Wreski
    When was the last time you heard about a Linux security vulnerability that was not fixed for more than a year? This article talks about how Microsoft has ineffectively handled a significant vulnerability present in all versions of Windows, and only with Black Hat coming are they finally addressing it.On Tuesday, Microsoft will slap a permanent patch on a video streaming ActiveX control used by Internet Explorer (IE), addressing a vulnerability that it has known about, but not fixed, for more than a year. Two weeks ago, Microsoft issued a "kill bit" update that, rather than address the underlying problem, disabled the ActiveX control to stymie attacks that were already in progress. It's also slated a fix for Visual Studio, Microsoft's popular development platform.

    Although Microsoft has not spelled out exactly what it will patch with the two "out-of-band" updates, the term for security updates released outside the company's once-a-month schedule, earlier this month researchers pointed fingers at the Active Template Library (ATL), a code "library" used not only by Microsoft's own developers, but also by third-party software programmers to access some features within Windows.

    Two German researchers; Thomas Dullien, the CEO and head of research at Zynamics GmbH, and Dennis Elser -- dug into the bug within the ActiveX control, the "msvidctl.dll" file, that streams video content. They found that it stemmed from a simple programming mistake in a function called "ATL::CComVariant::ReadFromStream."

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.