The Active Template Library Vulnerability: What You Need to Know

July 30, 2009 - 0 Comments

On July 28, 2009, Microsoft published two out-of-band security bulletins, MS09-034 and MS09-035, for Internet Explorer and Visual Studio’s Active Template Library. These bulletins are related to MS09-032, which disabled a vulnerable version of Microsoft’s MPEG2TuneRequest ActiveX Control Object, among other things. Cisco has released a Security Advisory that details which products are impacted by this issue as well as those that are not. The team that discovered this vulnerability, Ryan Smith, Mark Dowd and David Dewey, shared their research at Black Hat USA this week. In this post, we share some insight into these vulnerabilities as well as offer advice that can help you minimize the risk of criminals exploiting these vulnerabilities to compromise your network.The Active Template Library (ATL) is used by software developers to create ActiveX controls, the helper applications that the Microsoft Internet Explorer web browser uses to display rich content. Three of the most commonly used ActiveX controls are Adobe Flash, Apple Quicktime, and Microsoft Windows Media Player. ActiveX is a big part of Web 2.0, the technologies that enable user collaboration. You might know these ActiveX controls better as “Add-ons.”


Most of the ActiveX controls that we use in our web browser make use of external data, like movie and sound files. Software developers must implement safeguards to ensure that this external data does not compromise the security of your web browser. An ActiveX control that is considered to be secure against this remote data is marked as “Safe for Initialization.” To protect your security, Microsoft Internet Explorer does not allow ActiveX controls that are not marked as safe for initialization to load external data.Occasionally, security researchers will discover methods of creating specially-crafted JavaScript code or data files to force a particular ActiveX control to execute code other than what its developer intended. Once such a vulnerable or malicious ActiveX control is identified, it can be blocked by setting its “kill bit.” Instead of tracking down all instances of a particular control — often an impossible task — the control’s serial number is marked as having been “killed,” never again to be used by Microsoft Internet Explorer inside the medium or high security zones. This is a reasonable and efficient solution to this problem and it is in line with standard industry practices. Setting the kill bit is equivalent to techniques that are widely used in anti-spam and anti-malware security software.The root cause of the MS09-035 vulnerabiliy is in a function in the ATL. Halvar Flake reported on a vulnerability that he and others found in an ATL function called ATL::CComVariant::ReadFromStream. This vulnerability allows an attacker to load any ActiveX control, even a vulnerable one that is not marked as safe for initialization or one that has its kill bit set. This function was widely copied into many ActiveX controls. The result is that many of the ActiveX controls used to display rich web browser content have the ATL bug which makes them remotely exploitable.Online criminals spend their days looking for these vulnerabilities so that they can infect your computer with malware using what we like to call a “drive-by download.” Criminals routinely hijack ordinary websites, inserting malicious javascript code and objects that use vulnerable software on your computer to allow the criminals to quietly install malware without your knowledge. To learn more about how criminals use drive-by downloads, watch Patrick Peterson in episode 45 of Cisco TechWiseTV: Crime still pays.Never fear, though. Protecting yourself from the threats announced is no more difficult than washing the dishes or taking out the garbage. If you haven’t already, go to Microsoft Update, install the latest updates, and reboot your computer. Be sure that you allow all of the other pieces of your web browser, such as Adobe Flash, to install their own updates. Be sure that you have up-to-date anti-virus protection on your computer. Lastly, talk to your IT department about installing a web security appliance, such as a Cisco IronPort Web Security Appliance, on your corporate network. A web security appliance can protect your computer from drive-by downloads by preventing your web browser from downloading malicious content while you’re not looking.If you are a developer of ActiveX controls, it is critical that you review the Active Template Library Security Update for Developers at MSDN, correct your source code if necessary, publish an updated version of your ActiveX control, and mark the old one as “killed” to protect your users.This vulnerabilty is another painful example of the “Hacked While Browsing” trend we’ve seen: criminal exploitation of rich applications within the web browser. It is critical for all organizations to not only make sure they are patched but to ensure their users’ browsers cannot access malicious sites that attempt to exploit the browser and its integrated applications.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.