Websense.com / Security Labs / Blogs / Patch Updates Coming to a Theater Near You

Archived Blog

Patch Updates Coming to a Theater Near You

08.06.2009 - 3:00 PM

Patches have been flowing in since last week, some for 0days found in the the wild, some for 0days disclosed at Black Hat presentations given last week. In this post, I'm going to focus mainly on vulnerabilities related to client-side browsers.

ATL Vulnerability

The recent ATL vulnerability has affected several ActiveX controls. After exploits were seen in the wild, Microsoft issued MS09-035, an out-of-band patch, to fix the ATL library in Visual Studio so that future controls would not be vulnerable. [Blog] [Alert]

Microsoft also issued a second out-of-band patch: MS09-034. In addition to addressing a few other Internet Explorer security flaws, MS09-034 mitigated known attack vectors within Internet Explorer for components and controls developed with vulnerable versions of ATL. Before releasing the patches, Microsoft released CVE-2008-0015/MS09-032 as part of their regular Patch Tuesday cycle for the month of July (July 14th), which included 6 other security bulletins. MS09-032 set the killbit in MPEG2TuneRequest ActiveX Control Object (AKA msvidctl.dll), Microsoft's Video ActiveX control.

Adobe and Cisco both publicly disclosed that some of their controls were vulnerable and were quick to issue patches:

It's unknown how many other major software vendors used the vulnerable ATL library. This ATL library has been vulnerable for over 10 years, so expect more patches to come from major software providers who used the vulnerable ATL library in their code.

Microsoft has released information to help developers determine whether their control is vulnerable and needs to be recompiled, and Verizon has online tools that developers can use to identify whether their control is vulnerable.

In other exploit/patching news...

Adobe 0day

Meanwhile, details about the Adobe 0day, or apsb09-10/CVE-2009-1869, were released on Bugtraq Sunday. This vulnerability was much easier for researchers to figure out, since a patch had been available for almost a week. The researcher either reversed the patch or traced through an existing exploit to gather the details. This particular vulnerability was due to a integer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2. This vulnerability allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors.

SSL

The major SSL flaws that were discussed at Black Hat are slowly being patched. Firefox issued two patches this week:

Any client that uses an older NSS library is vulnerable, just as applications linked with the ATL library are. We expect to see several companies that use the vulnerable NSS library issuing patches. Expect major OS and application distributors to update their libraries this week.

NSS bulletins:

CVE-2009-2404

"Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function."

CVE-2009-2408

"Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority."

CVE-2009-2409

"The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large."

We will continue to monitor patches as they are released, and keep an eye on any exploitation of the associated vulnerabilities.

Security Researcher: Stephan Chenette

Bookmark This Post: