Today, Microsoft released two out-of-band patches MS09-034 and MS09-035 rated critical and moderate, respectively. These patches address vulnerabilities found in Microsoft’s “Active Template Library,” a set of software developer tools that are used in the creation of COM and ActiveX modules, both commonly used in a wide range of Windows-based applications. ActiveX modules are commonly used in Microsoft Internet Explorer and are traditional targets for hackers. Existing zero-day exploits are exploiting these vulnerabilities and are the main reason that Microsoft saw fit to release these out-of-band patches.
This pair of patches are part of a what Microsoft is calling a “defense in depth strategy” which essentially boils down to a patch to stop exploits actively attacking Microsoft IE and a patch that fixes the development tools that can produce compromised code. Microsoft is asking the development community to quickly update their tools and re-issue any COM, OLE, or ActiveX components that may be affected.
The out-of-band release significantly impacts both the MS development community and the IT community. Developers need to update any COM and ActiveX elements of there offerings and issue immediate updates. IT managers need to update IE with MS09-034 as soon as possible to eliminate the risk to their organizations poised by in-the-wild exploits. They should also review any commonly used web applications in their organizations for use of ActiveX. If there are any such web applications, the vendor should be contacted immediately to see when a new version of the ActiveX control that includes today’s updates will be available.