| By Susan Bradley |
Yet another Active Template Library hole makes Internet Explorer susceptible to remote code execution.
All versions of IE require a patch that Microsoft released this week to block a malicious ActiveX control from taking over your system.
IE patch prevents Web-based infection
It’s only fitting that the last set of Microsoft patches for 2009 plugs holes in Internet Explorer’s ActiveX controls. MS09-072 (976325) is a high priority for all IE users. It prevents a payload that a hacker created using Microsoft’s Active Template Library (ATL) from launching a remote-code execution attack when you visit an infected site.
The patch also repairs some other issues: (1) an HTML object-corruption vulnerability, which was described last month in MS security advisory 977981, and (2) four separate glitches addressed in MS09-054 and KB article 976749, primarily affecting Web sites outside the U.S.
Regarding the main problem, the update combines fixes for several ATL problems that have been reported in the past several months. Most recently, additional updates have been found to be required. These updates plug holes in IE to protect against controls developed using ATL version prior to MS09-035 (969706) last July.
I expect to see exploits of these holes start to circulate in the near future. For this reason, you’re urged to apply these patches to your computers as soon as possible.
WordPad and Word are the focus of new threats
You may be offered patches this month for three Microsoft word processors: Word, WordPad, and the Works suite. However, there are already reports of problems with MS09-073.