HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Active Template Library vulnerability requires developers to recompile their ActiveX controls

As the Internet grew, it became increasingly clear that HTML alone was insufficient to meet the demand for a more interactive and ultimately more rewarding user experience.  For one thing, the use of server-side technologies for rendering UI’s meant painfully slow response times.  For another, functionality was limited to static content.  Since, then, though, Rich Internet Applications have managed to vastly improve the web user’s experience by providing media rich content and interactivity comparable to desktop applications.


It’s no surprise that the components that enable this functionality are now widespread.  An amazing 99% of Internet users have AdobeÒFlashÒ installed. In addition, 20-25% of users have Microsoft ÒSilverlightÒ installed, and 31% have  RealOne PlayerÒ. These and various other third-party ActiveX controls are becoming a necessity to interact with a major portion of the web. 


The best solutions available today use AJAX to speed up response times and ActiveX content to create media rich applications. Sharing videos on YouTube, streaming movies from Netflix, even ordering pizza online… all require the users to install ActiveX controls.


So what happens when a vulnerability is discovered that could affect a majority of these ActiveX controls? I am by no means a brilliant mathematician, but I would guess that such a scenario would put the vast majority of Internet users at risk of getting owned by hackers. Such a vulnerability was presented last week at the Blackhat security conference. Mark Dowd and David Dewey of IBM, and Ryan Smith of iDefense presented a talk titled “The Language of Trust: Exploiting Trust Relationships in Active Content” about their research on the analysis of  browser architecture, specifically the interoperability layer of the architecture that allows collaboration between embedded objects and the scripting engines and its impact on the security features of the host application. They also discovered a vulnerability in Microsoft’s Active Template Library that could allow attackers to perform remote code execution attacks. A paper detailing the architecture issues as well as the vulnerabilities is available here .


The Active Template Library (ATL) is a collection of classes that simplify the development of COM objects . Developers of controls such as Flash, Silverlight, windows media player and other third-party ActiveX controls thus make extensive use of the Active Template Library to take advantage of the helper routines it provides. Thus a vulnerability in the Active Template Library also makes all controls that use the library vulnerable.


Microsoft released an out-of-band update on July 28th, just prior to the talk, to fix the ATL vulnerability. But by no means does this fix all the ActiveX controls that are already installed by the users. Since the Active Template Library is statically linked by these ActiveX controls, the ATL routines used by them are actually copied into the target ActiveX control application. Thus even if the ATL routines have been fixed the controls still contain the older, vulnerable versions of these routines. To fix the vulnerability, the ActiveX developers need to get the latest version of ATL by installing the recent Microsoft update for Visual Studio. Then they must recompile their control(s) using the fixed ATL version and deploy the updated control. Developers can refer to security update for ATL provided by Microsoft here.


If your web application hosts ActiveX content that requires users to install an ActiveX control, it is extremely important that you approach the developer(s) of the control (either inhouse of third-party) and make sure that they have updated and deployed a fixed version of the control to the users.


WebInspect can help.


We realize the importance of this vulnerability and want to make sure that the developers understand the urgency of this issue. Hence, WebInspect now has a check to detect ActiveX content present in web applications. It alerts the user about the detected ActiveX content and provides fix information and references to help mitigate this critical vulnerability. This specific check is included by default in WI's standard policy. If you want to run only that check, then create a policy with Adaptive Agents enabled and select the "ActiveX Control Discovery" check 10925.

| ‎08-13-2009 10:00 AM


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.