Microsoft rushes clutch patch for 'deep' bug in Windows, third-party apps

The emergency patches Microsoft plans to will fix a flaw that runs through several critical components of Windows and an unknown number of third-party applications, according to a pair of security researchers.

On Tuesday, Microsoft will slap a permanent patch on a video streaming ActiveX control used by Internet Explorer (IE), addressing a vulnerability that it has known about, but not fixed, for . Two weeks ago, Microsoft issued a "kill bit" update that, rather than address the underlying problem, to stymie attacks that were already in progress. It's also slated a fix for Visual Studio, Microsoft's popular development platform.

Although Microsoft has exactly what it will patch with the two "out-of-band" updates -- the term for security updates released outside the company's once-a-month schedule -- earlier this month researchers pointed fingers at the Active Template Library (ATL), a code "library" used not only by Microsoft's own developers, but also by third-party software programmers to access some features within Windows.

Two German researchers -- Thomas Dullien, the CEO and head of research at Zynamics GmbH, and Dennis Elser -- dug into the bug within the ActiveX control, the "msvidctl.dll" file, that streams video content. They found that it stemmed from a simple programming mistake in a function called "ATL::CComVariant::ReadFromStream."

"Instead of passing a pointer to a data buffer to IStream::Read, it took the address of a (small) local variable, and passes this address as output buffer to IStream::Read, along with a length read from the stream previously," said Dullien, who goes by the moniker "Halvar Flake" when writing about security vulnerabilities. "Somebody clearly got confused," he added in a posted July 9.

The result? Although Microsoft shut off current attacks against the ActiveX control, the programming mistake is present in several other Windows files -- at least five in XP, at least 13 in Vista -- including ones crucial to IE, Windows Media Player and Terminal Services.