I wanted to share this information with all who subscribe to my BLOG and also my Facebook friends and LinkedIn Connections.   Posting it on my BLOG will automatically post it on my Facebook Profile and LinkedIn Profile.  This issue has the potential to be a major issue and therefore even the Emergency Email Network sent out a critical notice today.

You can read the details below if you are interested but just in case you are not interested in the details, the bottom line is RUN YOUR MICROSOFT UPDATES right away.  (That is the short version.)

If you wish to have a link to forward to your friends send this link:  http://TheComputerGuysLLC.spaces.live.com and that will bring them directly to my Blog where they can read this for themselves.

Dennis “The Computer Guy” Wilson

                    National Cyber Alert System

              Technical Cyber Security Alert TA09-209A

Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities

   Original release date: July 28, 2009
   Last revised: —
   Source: US-CERT

Systems Affected

     * Microsoft Windows and Windows Server
     * Microsoft Internet Explorer
     * Microsoft Visual Studio and C++ Redistributable Package
     * ActiveX controls from multiple vendors

Overview

   Microsoft has released out-of-band updates to address critical
   vulnerabilities in Microsoft Internet Explorer running on most
   supported versions of Windows. The updates also help mitigate
   attacks against ActiveX controls developed with vulnerable versions
   of the Microsoft Active Template Library (ATL).

I. Description

   Microsoft has released updates for critical vulnerabilities in
   Internet Explorer. The updates also include mitigations for attacks
   against vulnerable ActiveX controls that were created using
   vulnerable versions of the Active Template Library (ATL).
   Vulnerabilities present in the ATL can cause vulnerabilities in the
   resulting ActiveX controls and COM components. For example, the ATL
   typographical error described in this Security Development
   Lifecycle blog post caused the Microsoft Video ActiveX control
   stack buffer overflow (VU#180513, CVE-2008-0015).
   Any ActiveX control or COM component that was created with a
   vulnerable version of the ATL may be vulnerable. For example, Adobe
   and Cisco are affected.

II. Impact

   By convincing a user to view a specially crafted HTML document
   (e.g., a Web page, HTML email message, or HTML attachment), an
   attacker may be able to execute arbitrary code.

III. Solution

   System Administrators
   To address the vulnerabilities in Internet Explorer and mitigate
   attacks against vulnerable ATL-based ActiveX controls, apply the
   updates described in Microsoft Security Bulletin MS09-034. Further
   details about the ATL mitigations are available in a Microsoft
   Security Research & Defense blog post.
   Administrators should consider using an automated update
   distribution system such as Windows Server Update Services (WSUS).
   Developers
   To stop creating vulnerable controls, update the ATL as described
   in Microsoft Security Bulletin MS09-035. To address vulnerabilities
   in existing controls, recompile the controls using the updated ATL.
   Further discussion about the ATL vulnerabilities can be found in
   the Security Development Lifecycle blog.

IV. References

* Vulnerability Note VU#456745 –
   <http://www.kb.cert.org/vuls/id/456745>

* Vulnerability Note VU#180513 –
   <http://www.kb.cert.org/vuls/id/180513>

* Vulnerabilities in Microsoft Active Template Library (ATL) Could
   Allow Remote Code Execution –
   <http://www.microsoft.com/technet/security/advisory/973882.mspx>

* Microsoft Security Bulletin MS09-34 –
   <http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx>

* Microsoft Security Bulletin MS09-35 –
   <http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>

* Protect Your Computer: Active Template Library, Security Updates –
   <http://www.microsoft.com/security/atl.aspx>

* Microsoft Security Advisory 973882, Microsoft Security Bulletins
   MS09-034 and MS09-035 Released –
   <http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx>

* Black Hat USA Spotlight: ATL Killbit Bypass –
   <http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx>

* ATL –
   <http://msdn.microsoft.com/en-us/library/3ax346b7(VS.71).aspx>

* ATL, MS09-035 and the SDL –
   <http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx>

* Internet Explorer Mitigations for ATL Data Stream Vulnerabilities –
   <http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx>

* Microsoft Windows Server Update Services –
   <http://technet.microsoft.com/en-us/wsus/default.aspx>

* Impact of Microsoft ATL vulnerability on Adobe Products –
   <http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html>

* Cisco Security Advisory: Active Template Library (ATL)
   Vulnerability –
   <http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml>

* CVE-2008-0015 –
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0015>

Advertisements