Comment Feed for Channel 9 - Inside the Active Template Library (ATL) Security Update http://ecn.channel9.msdn.com/o9/previewImages/100/481147_100x75.jpg Channel 9 - Inside the Active Template Library (ATL) Security Update Today, Microsoft announced the details of an out-of-band security update that impacts ATL components and controls (like ActiveX controls, for example) -> Developers who have built controls using vulnerable versions of ATL should take immediate action to review and identify any vulnerabilities, modify and recompile their affected controls and components using the updated versions of ATL and finally distribute a non-vulnerable version of the controls and components to their customers. Here, Damien Watkins from the VC++ team and Damian Hasse and Jonathan Ness from MSRC Engineering review the steps to identify and address vulnerable controls and components. Of course, being a Channel 9 interview, we dig into various aspects of the problem without veering away from the goal here: helping you understand the exact issues with this vulnerability. If you own a component or control that uses ATL, then you will know what you need to do to prevent a possible attack.  Please visit the URLs below as soon as possible for detailed information on this vulnerability. Resources discussed in this video are available on MSDN: Active Template Library Security Update and Developers Detailed technical information on this security release for ATL developers: http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx Additional information on this security release is available on the Security Research & Defense blogOverview with background + table of links:  http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx IE mitigation explanation:  http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx Deep dive for developers:  http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx How msvidctl.dll is related:  http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspxMichael Howard's perspective on this issue: http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx en Fri, 24 May 2013 22:38:28 GMT Fri, 24 May 2013 22:38:28 GMT Rev9 Re: Inside the Active Template Library (ATL) Security Update When is the MSDN page going to be active? http://go.microsoft.com/?linkid=9674481 doesn't work yet.

posted by cqb

]]> http://channel9.msdn.com/Blogs/Charles/Out-of-Band-Inside-the-ATL-Security-Update#c633844042070000000 Tue, 28 Jul 2009 18:56:47 GMT http://channel9.msdn.com/Blogs/Charles/Out-of-Band-Inside-the-ATL-Security-Update#c633844042070000000 cqb Re: Inside the Active Template Library (ATL) Security Update The link is now live.

C

 

Decision tree from the article and this interview:

 

ATL Vulnerability Decision Tree

posted by Charles

]]> http://channel9.msdn.com/Blogs/Charles/Out-of-Band-Inside-the-ATL-Security-Update#c633844075720000000 Tue, 28 Jul 2009 19:52:52 GMT http://channel9.msdn.com/Blogs/Charles/Out-of-Band-Inside-the-ATL-Security-Update#c633844075720000000 Charles Re: Inside the Active Template Library (ATL) Security Update thanks

posted by Dook

]]> http://channel9.msdn.com/Blogs/Charles/Out-of-Band-Inside-the-ATL-Security-Update#c633970321630000000 Mon, 21 Dec 2009 22:42:43 GMT http://channel9.msdn.com/Blogs/Charles/Out-of-Band-Inside-the-ATL-Security-Update#c633970321630000000 Dook