Sign In

Subscribe Follow Us On Twitter

Inside the Active Template Library (ATL) Security Update

Posted By: Charles | Jul 28th, 2009 @ 10:02 AM | 323,547 Views | 3 Comments

Share

Today, Microsoft announced the details of an out-of-band security update that impacts ATL components and controls (like ActiveX controls, for example) -> Developers who have built controls using vulnerable versions of ATL should take immediate action to review and identify any vulnerabilities, modify and recompile their affected controls and components using the updated versions of ATL and finally distribute a non-vulnerable version of the controls and components to their customers.

Here, Damien Watkins from the VC++ team and Damian Hasse and Jonathan Ness from MSRC Engineering review the steps to identify and address vulnerable controls and components. Of course, being a Channel 9 interview, we dig into various aspects of the problem without veering away from the goal here: helping you understand the exact issues with this vulnerability. If you own a component or control that uses ATL, then you will know what you need to do to prevent a possible attack.

Please visit the URLs below as soon as possible for detailed information on this vulnerability.

Resources discussed in this video are available on MSDN: Active Template Library Security Update and Developers

Detailed technical information on this security release for ATL developers: http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

Additional information on this security release is available on the Security Research & Defense blog

Overview with background + table of links: http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

IE mitigation explanation: http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx

Deep dive for developers: http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx

How msvidctl.dll is related: http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx

Michael Howard's perspective on this issue: http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

Tags: ATL, C++, Programming, Security, Trustworthy Computing

Media Downloads:

Rating:

1

0

cqb

When is the MSDN page going to be active? http://go.microsoft.com/?linkid=9674481 doesn't work yet.

Charles
Welcome Change

In reply to Charles

#Jul 28th, 2009 @ 11:58 AM

The link is now live.

C

Decision tree from the article and this interview:

Dook

thanks

Silverlight: Silverlight Test Driven Development – Part II
WindowsClient: Battery notification messages in Windows 7
Silverlight: The Weekly Source Code 49 - SmallBasic is Fun, Simple, Powerful Programming for Kids and Adults
WindowsClient: 24 Hour 50% off Deal on my Upcoming Manning Book: Silverlight in Action, Revised Edition
Channel 9: C9 Conversations: Yuri Gurevich - Abstraction, Algorithms and Mathematical Logic
TechNet Edge: February 2010 Security Bulletin Overview
Channel 9: PhizzPop Develop & Design Challenge
Silverlight: Quick FAQ on Visual Studio 2010 RC release (February 2010) and Silverlight development
Channel 10: 5 Bing Map Apps for the Winter Olympics
TechNet Edge: TechNet Radio: Visio 2010: Visio Services
WindowsClient: Tip: New .NET 4 String Function to Check for Empty Strings
WindowsClient: Microsoft announces commercial availability of Surface in Australia
WindowsClient: SmallestDotNet Update - Now with .NET 4 support and an includable JavaScript API
Silverlight: Answering A C# Question
Channel 9: Jason Zander: Visual Studio 2010 Release Candidate Released
Channel 9: Help Desk Episode 1 with Chris Pirillo (Pilot) - Show Notes
Mix Online: Design for tables
Channel 10: Bing and Winter Olympics
Channel 10: Use Your Zune Remote to Control Windows Media Center
WindowsClient: Query Continuations for nested collections in Data Services
close

Microsoft Communities