Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
According to Microsoft's security bulletin for Visual Studio, there are several vulnerabilities in the Active Template Library (ATL) that is shipped with Visual Studio. The vulnerabilities, which could allow an attacker to execute remote code, may cause controls or components developed using ATL, such as ActiveX controls, to be vulnerable as well. "The Visual Studio patch corrects the flawed template so that any controls built from this template going forward will be safe," Eric Schultze, CTO at Shavlik Technologies, told SCMagazineUS.com.Developers should immediately evaluate components or controls developed with ATL to determine if they are vulnerable, Microsoft said.“It is important to note that not all controls built using the vulnerable versions of the ATL are vulnerable -- this will depend on decisions the developer made when building the control or component,” Chistopher Budd, a security program manager at Microsoft, said in a blog post. Microsoft have also launched a website that provides additional details to help developers identify whether their control or component is exploitable using the vulnerabilities in ATL. In addition, Internet Explorer (IE) was updated to address components and controls that were developed with vulnerable versions of ATL, Microsoft said. The IE patch will monitor all calls to ActiveX controls and prevent controls that were developed with the flawed template from executing, Schultze said.“As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL,” Microsoft's security bulletin for IE states. The IE update, labeled critical, also addresses three other vulnerabilities unrelated to those in ATL which could allow remote code execution, Microsoft said.
The emergency measures mark only the second time that Microsoft has broken its Patch Tuesday regimen in over two years.See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.