Bryan Owen

12-Jul-2012 A Short Story: Vulnerability in Windows Common Controls

Blog Post created by Bryan Owen on Jul 12, 2012

12-Jul-2012 A Short Story: Vulnerability in Windows Common Controls


Those of you who frequent the OSIsoft technical support site may have noticed the security bulletin related to vulnerability in Windows Common Controls.  Yep, these are the venerable VB runtime ActiveX controls that have been so much fun for first timers and professional developers alike.  Do you remember the cheap thrill the first time you 'programmed' a Listbox?  I do and I owe it all to PI Processbook!


As you might expect the Windows Common Controls are very popular and to this day many applications still depend on VB6 runtimes. At first mention, depending on technology so far past its prime seems a bit tenuous but Microsoft's VB6 support statement comes to the rescue:


The Visual Basic team is committed to "It Just Works" compatibility for Visual Basic 6.0 applications on Windows Vista, Windows Server 2008 including R2, Windows 7, and Windows 8.


That policy got the acid test in April with Microsoft Security Bulletin MS12-027 announcing the update for a critical vulnerability in Windows Common Controls.


So what's the rest of the story?


A common pitfall for developers working on security issues is assuming the job is done when the patch is released. Actually patch availability is a 'hand off' to operational teams. You guessed it, fumble (or 'knock on' for rugby fans)!


In this case a security conscious customer observed the MS12-027 patch for MSCOMCTL.OCX was missing on a few machines.  These machines were part of a PI System and thankfully the customer reported the issue to OSIsoft technical support.  It turns out downstream from Microsoft, our developers had some work to do to repackage the Microsoft update.


For PI System partners and developers in the vCampus community it's possible you have products with the same issue. 


No worries. The OSIsoft prerequisite patch scope applies to the entire machine. The mitigation is complete so long as your app runs on the same machine.


Is that the end of the story?


Well, I'd like to tell you this could never happen again. Oh-no, here we go again. Look at Microsoft updates for 10Jul and the MS12-046 vulnerability in Visual Basic for Applications.  We are testing and watching closely for reports of missing update cases. In addition, a new VBA SDK was made available and will be considered to bundle the security updates in a future release of Processbook.


Moral of the story: a developer's job is never done!


Servicing software is essential for security. Unfortunately, servicing is imperfect today and requires extra effort to close the gaps. Where we can help each other it makes sense to do so.


As a closing nugget, the emerging DevOps movement directly addresses the fumble prone hand off between development and operations. It's too soon to know if DevOps will be more than next year's buzz word but the more I learn about it the more I believe in this approach. [DevOps, Rugged Software, SecDevOps, Visual DevOps, are frequent search words dedicated to this movement].