Protect your computer from the Active Template Library (ATL) security vulnerability

The Microsoft Active Template Library (ATL) vulnerability is an issue in the template code that developers may use to create some components or controls. Not all components or controls are at risk.

Cybercriminals who exploit this weakness could install malicious software on your computer or steal your personal information.

More information for consumers

If you have automatic updating turned on, you will receive the security update related to this issue, and you do not need to take further action. If you do not have it turned on, go to Microsoft Update to download and install the latest security update for Internet Explorer that was released on July 28, 2009.

Also, upgrade to Internet Explorer 8 to benefit from enhanced security and protections.

More information for IT professionals

To help protect customers while developers update their components and controls, IT professionals should immediately deploy the security update for Internet Explorer. See Bulletin MS09-034, "Cumulative Security Update for Internet Explorer."

This security update includes new defense-in-depth protections that monitor and help prevent the successful exploitation of all known ATL vulnerabilities, including vulnerabilities that could lead to bypassing ActiveX's killbit security feature.

More information for developers

Microsoft has addressed the issues in ATL and released updates to the library. Download and install the security update for Visual Studio. See Bulletin MS09-035 "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

If you have built controls or components with ATL take immediate action to evaluate them for exposure to a vulnerable condition. For instructions about determining whether your components and controls are vulnerable and how to update them, read Active Template Library Security Update for Developers.

You can check your control or component by using the no-charge scanning service that the Industry Consortium for Advancement of Security on the Internet (ICASI) and Verizon Business collaborated on. Go to www.icasi.org.

How the Active Template Library is affected

To understand how ATL is the issue, it helps to understand a little about how controls are created and used.

The Active Template Library helps developers create components or controls

When software developers create components or controls (such as ActiveX controls) for the Windows platform, they may use ATL to provide some common functionality instead of typing the code in line by line each time.

Controls are small programs that enhance Web interactivity

If you want to view or interact with certain types of Web pages, you must download a custom-built control. These controls enable you to do Web-based tasks, like buying something online or installing security updates from Microsoft Update.

When ATL was originally developed, an inadvertent vulnerability in the code was introduced. If you happen to visit a site with a control that cybercriminals are using maliciously, this vulnerability could enable them to compromise your computer.

What Microsoft is doing to help solve this problem

Microsoft is working to help protect customers by providing security updates and guidance, working with the security community and industry, and continuing our investigation into this issue.

Providing guidance and updates to developers, IT professionals, and consumers

Microsoft is working to protect customers by providing security updates, addressing the issue in the Active Template Library, and by identifying the Microsoft controls and components that expose this vulnerability.

Working with the security community and industry

Vulnerabilities in Shared Code Libraries are rare, industry-wide issues requiring broad collaboration and action to resolve.

Microsoft is working through the Microsoft Active Protections Program to help provide security protections through our global partners. Our Microsoft Security Vulnerability Research has been working with the top providers of controls and components to provide guidance and help them to build new non-vulnerable controls.

Continuing our ongoing investigation into this issue

Microsoft is continuing our investigation to identify Microsoft-authored controls and components that are affected by this issue. In addition, we are working to provide guidance and information that ISVs can use to determine whether their components and controls are affected and what they can do to address them.

5 things you can do to be safer online

Browse the Web with a standard or limited user account instead of an administrator account. Your computer could be less impacted by this vulnerability by using the standard or limited user account.

Keep your computer's software up to date. Your operating system and your software programs—especially your antivirus and antispyware software—must be updated regularly. Microsoft Update and most other software programs allow you to do this automatically. When we have security updates, they will be available on Microsoft Update and available through automatic updating. Many software vendors in addition to Microsoft offer automatic updating features for their software.

Upgrade to Internet Explorer 8.0 to benefit from enhanced security and protections.

Beware of scareware, also known as rogue security software. This is malicious software that masquerades as security software, but could do damage to your computer or steal your personal information.

Never download an ActiveX control or anything else from a Web site you don't absolutely trust. Even then, if an ActiveX control is not essential to your computer activity, avoid installing it. Recommended reading: What is an Active X control?