Shared code libraries help development, but is it at the expense of security and our business productivity?
This week we all had to deal with the emergency Microsoft security patches due to a critical exposure in the Active Template Library (templates used for COM+ development) that could result in local code execution by a hacker. At a minimum, the patch required a system reboot after being applied, but in many business environments where a simple reboot either can’t be performed right away or where patches (even emergency ones) must first be fully tested, IT groups were scrambling to determine how to handle the out-of-cycle patch. I was witness today to partners on conference calls with Microsoft educating them on the patches, and then dealing with several permutations of how best to apply the patches for different customers and users; scheduling them through WSUS, scheduling times where it wouldn’t disrupt business, researching code to determine if the ATL library had been used on any projects, and discussions amongst IT teams about how to handle the situation. One partner asked me why this patch had to happen today and not on Patch Tuesday, only a few weeks away. I think you could logically conclude today’s presentation at Black Hat about the ability to bypass Microsoft’s kill-bit logic, pre-empted waiting until patch Tuesday for a fix. Microsoft uses a technique they call kill-bit to disable code in situations like this. With the kill-bit bypass information out in the open, much more exploit code will likely be out in the wild, putting Microsoft systems at great risk of being compromised.But this situation caused issues not just because the patches were out of cycle. The requirement to issue a patch goes beyond just Microsoft’s updates. Any third party vendor or IT developer who uses the vulnerable components in the ATL library must also review their code and issue a patch. Adobe did just that, revealing they too use the ATL library, requiring them to issue patches. That means IT shops will have to deal with Flash and Shockwave Player patches from Adobe, and from any other vendors who uses the ATL lib.In most cases you’d argue that shared code libraries improves security by reducing the overall amount of code written (effectively reducing the number of security flaws that might be introduced) and localizes patches to just that library. Developers can do a code update, build, and then test their software to make sure the patch is applied and doesn’t introduce any adverse effects. But in cases where there is a security vulnerability in the library and that code is used within many different products and internal applications, the impact on product companies, IT developers, operations and business units can be much more significant. Even Verizon is offering help to developers impacted by the ATL library vulnerability.Security vulnerabilities, patching and even out-of-cycle patches are simply a fact of life. We’ve done well in adopting and building processes around Patch Tuesday, and in most situations, dealing with out-of-cycle patches. But that doesn’t negate the fact there’s a cost to security vulnerabilities and their associated patches, and even great costs to out of cycle patches. That’s the world we live and work in.
Like this? Here are some of Mitchell’s recent posts.
Great Beginning and Intermediate Books Mitchell Recommends:
- Apple Tablet – Expensive Netbook or iTouch on Steroids?
- Microsoft… Coming to a New Store Near You
- Did Microsoft Violate the GPL and Were They Forced To Make Linux Hyper-V Drivers GPL?
- The Moment of Truth Nears For Windows 7 and Windows Server 2008 R2
- Is SharePoint great for external community building?
- Podcast: Xobni’s New Quest. Revenue.
- Microsoft GPL Linux Drivers First Legit Open Source Contribution
Also visit Mitchell’s other blogs and podcasts:
- Beginning SharePoint 2007
- Beginning SharePoint 2007 Administration: Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007
- Beginning Ruby: From Novice to Professional, Second Edition
- Beginning C# 3.0: An Introduction to Object Oriented Programming
- Programming .NET 3.5
Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)




