A few comments to yesterday’s Out of Band

It is pretty typical – these things often happen, when I have a really bad Internet connection ;-). However, I am back home and the connection is kind of better now…

I guess you have seen and heard about the two out of band updates we shipped yesterday. They are kind of special and I would like to make sure you are doing everything necessary to protect you and your customers. Therefore – even before you read the bulletins – read the Advisory which goes with the updates from yesterday called Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution. Once you understand the problem space, get familiar with the two bulletins:

• Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
• Cumulative Security Update for Internet Explorer (972260)

Now, the real problem is with the applications and controls developed by you. If you are a developer, make definitely sure, you read the corresponding article on MSDN: Active Template Library Security Update for Developers. In there you have a very good flowchart helping you to understand whether your component might be vulnerable. 

Last but definitely not least, ICASI was collaborating with Verizon Business to provide a free of charge scanning service to help you figuring out, whether your component is vulnerable. you find the information here:

• The ICASI Alert
• The Verizon Business Scanner

I hope this helps

Roger