As announced last week, Microsoft released two security bulletins out-of-band. They cope with critical vulnerabilities in all Internet Explorer Versions and with a flawed Active Template Library (ATL) for developers using Microsoft’s Visual Studio.
Due to the flaw in the ATL – which gets used to build ActiveX controls for example – it is possible to bypass the kill bit restrictions within the Internet Explorer (IE). Manipulated Websites thus can call ActiveX modules with security vulnerabilities and inject malware on affected computers. Microsoft now closes three security holes in IE and hardens it against abuse of the flaws introduced by the ATL.
The error is based on flaws within the ATL of Visual Studio. Thus components build with this development environment can be affected, too. Cisco for example released a security advisory and announces workarounds and updates for the Cisco Unity software. Expect other software developers to release updates soon, too.
Interestingly, according to Microsoft’s Security Bulletins, Windows 7 is not affected by these vulnerabilities.
Install the updates as soon as possible, and if you are a developer, rebuild your components with the new ATL. A knowledge-base article from Microsoft explains the issue for developers.