Microsoft patches last major ATL bugs
Latest fixes for code library typo close 'last big attack vector,' says researcher
By Gregg Keizer
October 14, 2009 04:08 PM ET
Computerworld - Microsoft yesterday wrapped up a months-long job of patching a critical bug it accidently introduced in a crucial code "library," one of the researchers who uncovered the flaw said today.
"They finally released the last patch of Microsoft products yesterday, at least the last for the big attack vectors," said Ryan Smith, the principal research scientist for the Denver-based security consultant company Accuvant. "The patches for [Microsoft] Office closed the last big attack vector for the ATL flaw."
Smith and researchers Mark Dowd and David Dewey, who work for IBM Internet Security Systems' X-Force team, uncovered the bug and first publicly demonstrated how it could be used to attack PCs using Internet Explorer (IE) last July at the Black Hat security conference. Microsoft convinced the trio to stop publicly disclosing their findings until it was able to
rush users a pair of emergency updates, which it delivered the day before the Smith-Dowd-Dewey Black Hat presentation.