This morning we released MS09-035 to address ATL vulnerabilities in Visual Studio. This blog post will help you answer the following questions:
What are the ATL vulnerabilities? Which versions of ATL are vulnerable?
There are three ATL vulnerabilities discussed in the bulletin:
The following table tells which versions of ATL are affected by each bulletin.
** Controls and components built with Visual Studio 2005 SP1 and Visual Studio 2008/SP1 may be less affected because a new safe macro PROP_ENTRY_TYPE[_EX] was introduced in Visual Studio 2005 SP1. This new macro solves the problem almost entirely. Furthermore, starting with Visual Studio 2008, the PROP_ENTRY unsafe macro was deprecated. Thus, controls and components built using Visual Studio 2008/SP1 are less likely to be vulnerable. For further information review this resource article.
Several things we would like to clarify here:
How can I tell if my control is affected? How can I fix it?
You need to review the source code of your control or component. Please refer to the detail guidance in the following resource article.
Do I need to issue a killbit/phoenix bit for older controls?
If you decide there is no reason for your control to be ever hosted in IE, please consider issuing a killbit for it. For more information about the killbit, please refer to SRD “killbit” blog series. Microsoft, for example, issued the killbit as the final fix for the msvidctl.dll issue (MS09-032).
If you decide to fix the vulnerable control, we highly encourage you to issue a killbit for the old control and a phoenix bit for the updated control. The Kill-bit FAQ three part series explains this in detail.
The Kill-Bit FAQ: Part 1 of 3
The Kill-Bit FAQ: Part 2 of 3
The Kill-Bit FAQ: Part 3 of 3
- Arthur Wongtschowski, Windows Sustained Engineering- Chengyun Chu, MSRC Engineering
*Posting is provided "AS IS" with no warranties, and confers no rights.*