Tuesday, July 28, 2009

Microsoft rushes clutch patch for 'deep' bug in Windows, third-party apps

Researchers say move may be tied to this week's Black Hat security conference

By Gregg Keizer, ComputerWorld
The emergency patches Microsoft plans to rush out this week will fix a flaw that runs through several critical components of Windows and an unknown number of third-party applications, according to a pair of security researchers.

On Tuesday, Microsoft will slap a permanent patch on a video streaming ActiveX control used by Internet Explorer (IE), addressing a vulnerability that it has known about, but not fixed, for more than a year. Two weeks ago, Microsoft issued a "kill bit" update that, rather than address the underlying problem, disabled the ActiveX control to stymie attacks that were already in progress. It's also slated a fix for Visual Studio, Microsoft's popular development platform.

Although Microsoft has not spelled out exactly what it will patch with the two "out-of-band" updates -- the term for security updates released outside the company's once-a-month schedule -- earlier this month researchers pointed fingers at the Active Template Library (ATL), a code "library" used not only by Microsoft's own developers, but also by third-party software programmers to access some features within Windows.


~Sandy G.

No comments: