dtSearch information relating to Microsoft security bulletin MS09-035

Article: dts0224

Applies to: dtSearch 7.62 and earlier

Microsoft Security Bulletin MS09-035 describes security vulnerabilities in the Microsoft Active Template Library, which is widely used to build software for Windows. The installer included with dtSearch versions 7.62 and earlier includes a Microsoft component that is affected by the vulnerability, vcredist_x86.exe.   Windows Update 973923 fixes the vulnerability, so if your system has already applied this update from Windows Update, it should not be affected.

Except for this Microsoft component in the installer, based on the information provided by Microsoft, we do not believe these security vulnerabilities apply to any dtSearch product, because no dtSearch COM components implement the vulnerable interfaces.  

Recommended Actions

Run Windows Update to ensure that the Microsoft components included with dtSearch are patched.  This will automatically update any older components that were installed using the unpatched vcredist_x86.exe included with older versions of dtSearch.  Alternatively, you can download and install the x86 version of this file:
MFC and CRT redistributable downloads

Technical Information

Microsoft Security Bulletin MS09-035 describes security vulnerabilities in the Microsoft Active Template Library, which is widely used to build software for Windows.  The vulnerability affects COM components that were built with the Active Template Library and that implement certain interfaces.  

(1) dtSearch Components

This Microsoft article describes how to determine which COM components are affected by the security vulnerability:

Active Template Library Security Update for Developers

dtSearch COM components (including dten600.dll and dtengine64.dll) prior to 7.63 were built with the vulnerable version of the Active Template Library.

However, these components do not use the interfaces affected by the vulnerability, in that they are not marked SFI, and they do not use IPersistStreamInitImpl, AtlPersistStreamInit_Load, or CComVariant::ReadFromStream. Therefore, based on the Microsoft information, they should not be affected by the vulnerability.

dtSearch Engine Versions 7.63 and later are built with the patched Microsoft versions of the Active Template Library.  

(2) dtSearch Installer

The dtSearch installers for versions 7.62 and earlier include Microsoft redistributable programs, vcredist_x86.exe and vcredist_x64.exe.  These programs are included to install certain Microsoft components that dtSearch programs use.  The vcredist*.exe files include vulnerable code from the Active Template Library.  However, these components are automatically updated by Windows Update, so any computer that has been updated using Windows Update should not be affected by the unpatched components in the older vcredist*.exe versions.  

Updated versions of the vcredist*.exe files are available here:

Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update

Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update

Additionally, the updated versions are included with dtSearch 7.63.

dtSearch 7.62b, released August 6, 2009, includes the patched versions of the vcredist_x86.exe files but does not include any new versions of dtSearch components, so the build and versions numbers have not changed.