Emergency patches issued for IE and Visual Studio

Share this article:
Microsoft on Tuesday issued two out-of-band security patches -- one for the development tools suite Visual Studio and another for Internet Explorer.

According to Microsoft's security bulletin for Visual Studio, there are several vulnerabilities in the Active Template Library (ATL) that is shipped with Visual Studio. The vulnerabilities, which could allow an attacker to execute remote code, may cause controls or components developed using ATL, such as ActiveX controls, to be vulnerable as well.

"The Visual  Studio patch corrects the flawed template so that any controls built from this template going forward will be safe," Eric Schultze, CTO, Shavlik Technologies told SCMagazineUS.com in an email Tuesday.

Developers should immediately evaluate components or controls developed with ATL to determine if they are vulnerable, Microsoft said.

“It is important to note that not all controls built using the vulnerable versions of the ATL are vulnerable -- this will depend on decisions the developer made when building the control or component,” Chistopher Budd, a security program manager at Microsoft, said in a blog post Tuesday.

That same day, Microsoft launched a website that provides additional details to help developers identify whether their control or component is exploitable using the vulnerabilities in ATL.

In addition, Internet Explorer (IE) was updated Tuesday to address components and controls that were developed with vulnerable versions of ATL, Microsoft said. The IE patch will monitor all calls to ActiveX controls and prevent controls that were developed with the flawed template from executing, Schultze said.

“As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL,” Microsoft's security bulletin for IE states.

The IE update, labeled critical, also addresses three other vulnerabilities unrelated to those in ATL which could allow remote code execution, Microsoft said.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.