Microsoft Latest Hack Involves "Errant Ampersand"

Microsoft Corp. On Tuesday ascertained that a single extra character in its own coding is accountable for the bug that has enabled hackers to exploit its signature web browser Internet Explorer (IE) since earlier this month.

The announcement made by the software company has been in line with the similar discoveries brought forth by a pair of German researchers who analysed a flaw in a Microsoft-manufactured ActiveX control around three weeks ago.

The company has claimed an errant ampersand, “&”, responsible for the bug that paved way for carrying out exploits on IE web browser, Microsoft admitted in a blog post published at its Security Development Lifecycle (SDL) website.

A security program manager at Microsoft, Michael Howard, notified in his blog post that the typo actually corrupted the code of an ActiveX control employed by the web browser. The control was developed by using an older library of codes containing flaws, Howard admitted.

In order to address these flaws relating to ActiveX components, Microsoft has issued an emergency fix for IE, as well as for Visual Studio that use the same library of codes, referred to as Active Template Library (ATL).

Our Comments

One would never had believed that a simple Ampersand could cause so much havoc. Unsurprisingly, the release of emergency fix for IE and Visual Studio applications comes at the time when Black Hat is organising a security conference in Las Vegas, which includes a session on ATL related problems.

Related Links

Single misplaced '&' caused latest IE exploit


Critical Out-Of-Band Internet Explorer Patches Available


Microsoft Issues Emergency Fixes For IE, Visual Studio

(Information Week)

Extra '&' in Microsoft development code gave hackers IE exploit


Microsoft Pounces on IE, Visual Studio Flaws


Microsoft Ships Emergency Patch for IE, Visual Studio

(PC Magazine)