Thursday, July 30, 2009

MS Active X and ATL Security Flaws



What's going on here is that Microsoft messed up very badly. But it was a small typo which did the dirty deed. As related in several stories at http://www.infoworld.com/news (Infoworld News) there is a problem with a stray "&" in the code inside of the MS Visual Studio Active Template Library (ATL) which is at the heart of many MS Active X controls. This flaw does not only affect Internet Explorer. It affects a wide variety of Microsoft products and services, as well as many third-party applications and services which use Active X. Active X is used not only on Web pages, but also on the Windows Desktop of the local computer in some applications. In short, nearly all Windows users, except those who are running the RTM Windows 7 (NOT the Beta or pre-release versions -- these versions ARE vulnerable) are vulnerable to this security hole.


The solution is listed in recent postings at http://www.windowssecrets.com/ (Windows Secrets Newsletter, special edition, July 30, 2009, by Susan Bradley) and http://www.askwoody.com/ (Woody Leonhard's Windows Patch Watch web site). They both strongly urge all Windows users to patch everything which MS Updates is currently offering. No exceptions this time. Some third-party applications will break, and I will post if I notice anything really bad in my own Windows XP SP3 configuration. (I use a lot of freeware and free security programs.) But the problem with this security flaw is so severe that it is worth having to find new applications, rather than put up with the risks of not patching. So say the real gurus, and who am I to disagree?

As always, I am solely responsible for the content of this blog. Interested readers should go directly to the sources I have referenced, using either my links or Google results for the sites to which I link in my blog entries. Woody Leonhard's MS-Defcon system is used without permission, and should not be copied by other bloggers.





-- LittleWolf -- Thursday, July 30, 2009 -- 5:15 PM CDT (USA) --

Edited Sun., Dec. 6, 2009, 2:50 PM CST by LittleWolf .
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)