Microsoft issues emergency patches for Visual Studio vulnerability

Microsoft today issued security updates for the Active Template Library (ATL) which address a vulnerability that could allow remote code execution.

Libraries are collections of codes upon which software is built, and Microsoft's ATL is used by developers to create controls or components (such as Automation and ActiveX) in Windows. But any components or controls created with the vulnerable version of ATL may now become vulnerable due to how ATL is used or due to issues in the ATL code itself.

The Microsoft Security Response Center Team today said, "While this is a complex issue, we believe a broad, industry-wide response can help minimize the impact to customers...The vulnerability that we addressed with Microsoft Security Bulletin MS09-032 was a result of this issue. While that issue was attacked before a security update was released, that is the only known attack that we're aware of against an issue related to vulnerabilities in the ATL. However, we are releasing our guidance and updates outside of our regular monthly release cycle because our updates are of appropriate quality for broad distribution, we are aware of one attack which was addressed through MS09-032, and we believe that there is a greater risk to customer safety from broader disclosure of this issue if we wait until our next scheduled release."

This does not immediately affect the non-developer user. Users with automatic updating turned on will receive the update related to this issue (and several others) today. Users it turned off are advised to go to download and install today's updates on Microsoft Update.

Developers are advised to update Visual Studio, and those who have built controls and components using ATL for Visual Studio can use the ActiveX Code Tester provided freely by Verizon Business and ICASI to help identify potential vulnerabilities in their software. When the vulnerabilities are found, the software must then be re-coded and updated to customers.