On July 28 Microsoft released two out of band patches (http://www.microsoft.com/atl) to address a serious issue known as Microsoft Active Template Library (ATL) vulnerability.

The reason this issue should be considered more serious than others is because while Microsoft has released bulletins and have made changes to both Internet Explorer and Visual Studio to address the vulnerability, the nature of the issue means that third party ActiveX controls could also be affected and therefore vulnerable.

To date we have seen a small handful of vendors release patches fixing the issue in their ActiveX control. Considering the scope of the issue, as well as how many third party ActiveX controls that may be affected, one would have expected far more vendors to be affected. 

There have been advisories and/or fixed ActiveX controls from the following vendors; Adobe Systems, Cisco, and Sun Microsystems. According to our web spider, Adobe has the most popular ActiveX controls supplied with their various Flash and Acrobat products. What about all of the lesser known ActiveX controls? 

Are we safe to assume that they are not affected because we have not seen an advisory or patch? Or, should we be concerned that perhaps other vendors are not as diligent with checking their ActiveX controls?

While I would hope that the answer is that there are just not as many vulnerable controls as thought, I think the reality is that perhaps the industry as a whole has failed to grasp the full impact of this issue.  So, to simplify, this issue means that there is a chance that all ActiveX controls have a vulnerability that allows for code execution on the affected systems.  If you are a software developer who has created your own ActiveX controls you should review them for this vulnerability.  If you are responsible for the security of your organization, you should take an inventory of what ActiveX controls are in use and monitor for patches/updates.

A great resource for helping with the above tasks, at least for developers of ActiveX controls, can be found at http://www.icasi.org/alerts.htm.  ICASI (the Industry Consortium for Advancement of Security on the Internet), in which Juniper Networks is a founding member, worked very closely with Microsoft and partnered with Verizon Business to provide a tool that developers can use to identify vulnerable controls.  This tool checks for the following:

• Is your code a COM component?
• Does it declare Safe for Initialization?
• Does it inherit from IPersistStreamInitImpl?
• Do you call ATLIPersistStreamInit_Load?
• Do you call CComVariant::ReadFromStream(pStream) with untrusted data?
• Do you use PROP_ENTRY or PROP_ENTRY_EX to declare a property?
• Do you use VT_DISPATH or VT_UNKNOWN with PROP_ENTRY_TYPE or PROP_ENTRY_TYPE_EX?

Depending on your answers to the above questions you may have a vulnerable control and it is strongly suggested that you perform a full audit of that control.  I fully expect over the next few months to see various vendors releasing patches to address this.  But what can IT Security departments do in the meantime to lower the risk this issue presents?  As suggested earlier in this post, knowing what ActiveX controls your organization already has in use is a good step, but this won't prevent new controls from being pushed down by various websites.  Depending on your level of caution, you may also want to go as far as blocking non-work related websites an enforce filtering on unknown ActiveX controls.

One way that Juniper Networks helps customers that use one of our IDP devices (stand-alone IDP, ISG and SRX) is by not only writing signatures to detect and alert on known vulnerable ActiveX controls, but also to provide a signature that will detect uncommon ActiveX controls.

Just how we determine what ActiveX controls are uncommon is where customers can realize some value from our Security Research Team and our internal honeynet.  Part of our honeynet, which is used as an internal tool to increase the accuracy of our IPS, is a web spider that we use to scan the Internet for malicious web site content and capture that content for analysis.  One feature of our spider is that it can also track every ActiveX control used on sites it touches.  Based on this data, we were able to come up with a list of the top used ActiveX controls on our survey of the Internet.  Here are the 10 most common ActiveX controls:

Based on the above data we have released an "info" severity signature named: "HTTP: Uncommon ActiveX Access."

This signature is not designed to identify known vulnerable controls, but can be used to catalog any uncommon ActiveX use and allow network security managers to make an intelligent decision on how to approach this issue in their environment.  In addition, we also have protection for currently known vulnerable controls:

• HTTP: Cisco Unity Vulnerable ActiveX Control
• HTTP: Adobe Shockwave Player Vulnerable ActiveX Control
• HTTP: Adobe Flash Player Vulnerable ActiveX Control

As more controls are identified we will add signatures as required in the hopes that affected vendors will be quick to address this issue.

For more information on the ATL issue check out the following links:

http://www.icasi.org

http://www.microsoft.com/atl

http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx

http://codetest.verizonbusiness.com/