Install MS’s out-of-cycle patches for IE, apps

Susan bradley By Susan Bradley

Two emergency updates released by Microsoft this week correct flaws in Internet Explorer and potentially dozens of third-party programs.

One of the patches is intended primarily for use by application developers, but how far the threat to apps extends — and how many end users will be affected — is not yet clear.

MS09-034 (972260)
Apply this Internet Explorer patch today

This week, Microsoft released security bulletin MS09-034 without waiting for the next scheduled Patch Tuesday on Aug. 11. According to the Redmond company, this patch is rated “Critical” for IE 6/7/8 on XP and IE 7/8 on Vista. (While the Windows 7 release to manufacturing (RTM) version is unaffected by the problem, the Windows 7 release candidate does requiring patching.)

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



You may already have applied “killbits” from Microsoft security bulletin MS09-032, which was released on this month’s regular Patch Tuesday, July 14. In theory, these killbits should protect you against certain ActiveX exploits already circulating on the Internet.

Microsoft’s Security Research & Defense blog recommends that you retain the killbits, if you did install them, and also apply this week’s update. The group says this will provide an added layer of “defense in depth” patches.

On the other hand, if you haven’t yet applied the MS09-032 update, installing this week’s out-of-cycle patch means you don’t have to install the previous one.

Why did Microsoft rush out an update for a problem that most admins have already patched? The reason was revealed yesterday afternoon in Las Vegas. A presentation at the Black Hat Security Conference by security researchers Ryan Smith, Mark Dowd, and David Dewey showed that the previous killbit fix could be evaded by malware.

In their blog post announcing the talk, the researchers described how they had found a vulnerability in Microsoft’s Visual Studio Active Template Library (ATL), which is used by developers to write Windows programs. In a video posted on the researchers’ site, they demonstrate how an exploit can take control of a PC, bypassing the killbit.

When Microsoft stated that MS09-032 protected you from known attacks, that’s technically true. New attacks, however, are likely to show up very soon, due to the release of the Las Vegas presentation. It would be wise for you to install the more-recent MS09-034 patch right away.

MS09-035 (969706)
Apps developed using ATL may be insecure

Hearing of a new patch for Internet Explorer, most of us would sigh, launch Firefox, and simply go on with our lives, thinking we are unaffected. The problem announced this week, however, involves more than just IE.

The vulnerable ActiveX control present in Visual Studio’s Active Template Library (ATL) is used in many third-party applications. So security bulletin MS09-035 may be the more important of this week’s two out-of-cycle updates.

For instance, Cisco Systems has released an alert saying the company’s Unity products are affected by the vulnerability. Other companies’ products — which you might never suspect of being the weak point in a malware attack — could easily be at risk.

Verizon Business is providing a service that checks a system for the presence of this control. As explained in a Verizon blog, the use of the file atl.dll in an application indicates that an app is susceptible.

In my research, I found on one fully patched Vista machine an old tax program that includes atl.dll. I can’t remove this file, because the old software is still needed.

To be sure, bad guys are less likely to target an obscure software program than vulnerabilities in IE. Even so, installing MS09-035 gives you additional protection, not just for Microsoft’s browser but also for some apps you may have forgotten you ever installed.

My standard admonition is more important than ever: use a third-party patching tool such as the Shavlik Patch Google Gadget or Secunia’s Online Software Inspector or Personal Software Inspector. Review your system at least monthly, after you’ve installed Microsoft’s latest patches. These tools test a wide range of software — including many browsers other than IE — and notify you when security patches are available.

See my May 28 Top Story for more on Shavlik, Secunia, and other third-party software-update services.

I’ve only heard sporadic reports of problems a few people have had with the out-of-cycle patches. These issues are described in a Microsoft forum post about a Visual Studio compiling error, and an MS MVP blog item about the Visual Studio patch being offered repeatedly. I’ll provide information in my next Windows Secrets column on any other glitches that may affect these patches.

Given the strong recommendations I’ve read by members of the security community, I believe you should install this week’s updates immediately. You can uninstall them if they act up.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2009-07-30:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.