One of the updates in the July set of Microsoft security bulletins (MS09-032) addressed a vulnerability which was exploited by instantiating the Microsoft Video ActiveX Control (msvidctl.dll) and seen in the wild on many malicious websites. Sophos published detection for known exploits on 6 July as Exp/VidCtl-A.
The update included kill bits for the vulnerable component, but even before the patch was published it was discovered that the actual vulnerability is not only in Microsoft Video ActiveX Control but in the underlying Active Template Library (ATL) used when the control was compiled.
This effectively means that any ActiveX control using similar functionality and compiled with ATL is potentially vulnerable and that there are several different attack vectors that could be used to reach the exploit condition. As soon as the vulnerability in Active Template Library was discovered guys from Microsoft Security Response Center started working on a solution to fix the issue but they obviously have not been able to finish and test it in time for the July patch Tuesday. Today, two new bulletins and one advisory were published to address the potential issues hopefully more thoroughly.
MS09-034 is a cumulative Internet Explorer patch that includes code to check if a potentially vulnerable component is being loaded and prevent that behaviour as well as the fix for additional three privately reported remote execution vulnerabilities. At the time of writing this blog post SophosLabs are not aware of any malware that attempts to exploit any of the newly fixed vulnerabilities.
MS09-035 fixes the actual ATL code included with several versions of Microsoft Visual Studio so that the new ActiveX components compiled with the fixed ATL code are not affected by the incorrect pointer passing vulnerability in CComVariant::ReadFromStream function. Developers of ActiveX components that use ATL are advised to recompile and update their components using the fixed version of the Active Template Library.
Mark Dowd, Ryan Smith and David Dewey will present their findings about the ATL vulnerability in their presentation at the Black Hat USA conference tomorrow at 3.15 pm PST. Ryan Smith has posted an interesting video showing a proof of concept exploit working even with MS09-032 applied as an introduction to their Black Hat session.
As always we have written our own vulnerability analyses with the SophosLabs Threat Level and SophosLabs comments:
MS09-034 - Cumulative Security Update for Internet Explorer
MS09-035 - Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution