MS Active X and ATL Security Flaws

What's going on here is that Microsoft messed up very badly. But it was a small typo which did the dirty deed. As related in several stories at http://www.infoworld.com/news (Infoworld News) there is a problem with a stray "&" in the code inside of the MS Visual Studio Active Template Library (ATL) which is at the heart of many MS Active X controls. This flaw does not only affect Internet Explorer. It affects a wide variety of Microsoft products and services, as well as many third-party applications and services which use Active X. Active X is used not only on Web pages, but also on the Windows Desktop of the local computer in some applications. In short, nearly all Windows users, except those who are running the RTM Windows 7 (NOT the Beta or pre-release versions -- these versions ARE vulnerable) are vulnerable to this security hole.


The solution is listed in recent postings at http://www.windowssecrets.com/ (Windows Secrets Newsletter, special edition, July 30, 2009, by Susan Bradley) and http://www.askwoody.com/ (Woody Leonhard's Windows Patch Watch web site). They both strongly urge all Windows users to patch everything which MS Updates is currently offering. No exceptions this time. Some third-party applications will break, and I will post if I notice anything really bad in my own Windows XP SP3 configuration. (I use a lot of freeware and free security programs.) But the problem with this security flaw is so severe that it is worth having to find new applications, rather than put up with the risks of not patching. So say the real gurus, and who am I to disagree?

As always, I am solely responsible for the content of this blog. Interested readers should go directly to the sources I have referenced, using either my links or Google results for the sites to which I link in my blog entries. Woody Leonhard's MS-Defcon system is used without permission, and should not be copied by other bloggers.





-- LittleWolf -- Thursday, July 30, 2009 -- 5:15 PM CDT (USA) --

Edited Sun., Dec. 6, 2009, 2:50 PM CST by LittleWolf .

Microsoft Patch Updates

Unlike Woody Leonhard, most of the staff at Windows Secrets Newsletter (http://www.windowssecrets.com) recommend anyone who has not yet installed Windows XP SP3 (if you still use Windows XP) should do so now. I have had no problems with this Service Pack, and I usually know pretty fast if something from Microsoft is going to break anything else.

Internet Explorer 8 is ready for prime time now, so download it and update it. Then use Firefox 3.5 and watch for the upcoming stability patch. Both browsers are on my laptop, and I am very conservative about updating browsers. Again, if any major problems were occurring, I would probably know about at least most of them.

And as always, disable Windows Automatic Updates Service through the Administrator Control Panel when not going to MS Updates manually. Also make BITS Service Manual, but do not disable it completely, as some Third-Party programs use this Service. And use Secunia PSI to keep up to date with your plug-ins.

As always, I am solely responsible for any content which appears in this blog. I recommend that anyone reading my summaries should also go to the original posts at the web sites cited.

-- Tues., July 14, 2009, 1:00 AM CDT (USA) -- LittleWolf --

Edited Sun., Dec. 6, 2009, 2:54 PM CST, by LittleWolf .