Microsoft today took the unusual step of releasing out-of-band patches for severe security flaws in all versions of Internet Explorer, along with related holes in the Microsoft Active Template Library included with Visual Studio.
Microsoft generally only releases patches outside of its normal monthly cycle for the most dangerous security flaws. The IE risks involve “components and controls that have been developed using vulnerable versions of the Microsoft Active Template Library,” according to Microsoft, and could allow an attacker to run commands or download malware on a vulnerable PC if you simply view a malicious Web page. Such drive-by-download attacks are a favorite among Internet attackers.
According to Microsoft, this MS09-034 patch “is rated Critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on supported editions of Microsoft Windows 2000; Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows XP; Critical for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Vista; Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003; and Moderate for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Server 2008.”
Translation: if you use any version of IE on Windows 2000, XP or Vista, get the fix asap by running Windows Update. IT folks who maintain Windows Server 2003 and 2008 boxes don’t have to rush quite as quickly but will still want the fix.
The companion patch fixes holes in the Microsoft Active Template Library, part of Visual Basic, which can be used to create the vulnerable ActiveX controls that trigger the IE flaws fixed in the MS09-034 patch. According to Symantec, the ATL patch won’t fix vulnerable controls that have already been created, but will avoid creating new vulnerable controls. For more information see the MS09-035 bulletin.