Executive Summary

Summary
Title Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
Informations
Name KB973882 First vendor Publication 2009-07-28
Vendor Microsoft Last vendor Modification 2009-10-13
Severity (Vendor) N/A Revision 4.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft is releasing this security advisory to provide information about our ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL). This advisory also provides guidance as to what developers can do to help ensure that the controls and components they have built are not vulnerable to the ATL issues; what IT Professionals and consumers can do to mitigate potential attacks that use the vulnerabilities; and what Microsoft is doing as part of its ongoing investigation into the issue described in this advisory. This security advisory will also provide a comprehensive listing of all Microsoft Security Bulletins and Security Updates related to the vulnerabilities in ATL. Microsoft's investigation into the private and public versions of ATL is ongoing, and we will release security updates and guidance as appropriate as part of the investigation process.

Microsoft is aware of security vulnerabilities in the public and private versions of ATL. The Microsoft ATL is used by software developers to create controls or components for the Windows platform. The vulnerabilities described in this Security Advisory and Microsoft Security Bulletin MS09-035 could result in information disclosure or remote code execution attacks for controls and components built using vulnerable versions of the ATL. Components and controls created with the vulnerable version of ATL may be exposed to a vulnerable condition due to how ATL is used or due to issues in the ATL code itself.

Developer Guidance: Microsoft has corrected the issues in the public headers of ATL and released updates to the libraries in bulletin MS09-035 "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution." Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable. For more information on the vulnerabilities and guidance to address issues in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

IT Professional and Consumer Guidance: To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and Microsoft Security Bulletin MS09-035. To benefit from this new defense-in-depth technology, IT Professionals and consumers should immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer."

This security update includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense-in-depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. These defense-in-depth protections monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX's kill bit security feature. These protections are designed to help protect customers from Web-based attacks.

Home User Guidance: To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer with the new update helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and Microsoft Security Bulletin MS09-035. Home users signed up for Automatic Updates will receive the new Internet Explorer update automatically and do not have to take any further action. Home Users will automatically be better protected from future attacks against the vulnerabilities addressed in this Security Advisory and in Microsoft Security Bulletin MS09-035.

Mitigating Factors for Controls and Components built using vulnerable version of Microsoft's Active Template Library (ATL):

  • By default, the majority of ActiveX controls are not included in the default allow-list for ActiveX controls in Internet Explorer 7 or Internet Explorer 8 running on Windows Vista or later operating systems. Only customers who have explicitly approved vulnerable controls by using the ActiveX opt-in feature are at risk to attempts to exploit this vulnerability. However, if a customer has used such ActiveX controls in a previous version of Internet Explorer, and then later upgraded to Internet Explorer 7 or Internet Explorer 8, then these ActiveX controls are enabled to work in Internet Explorer 7 and Internet Explorer 8, even if the customer has not explicitly approved it using the ActiveX opt-in feature.
  • By default, Internet Explorer 8 offers enhanced protections by enabling DEP/NX memory protections for users on Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows 7.
  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
  • By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Updates related to ATL:

Update released on October 13, 2009

  • Microsoft Security Bulletin MS09-060, "Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution," provides support for Microsoft Office components that are affected by the ATL vulnerabilities described in this advisory.

Updates released on August 25, 2009

  • Windows Live Messenger 14.0.8089 is being released to address vulnerabilities in the Windows Live Messenger client that are related to the ATL vulnerabilities described in this advisory.
  • A Frequently Asked Questions about Windows Live Components section has been added to this advisory to communicate the removal of the Windows Live Hotmail "Attach Photo" feature and to provide details about the Windows Live Messenger 14.0.8089 release.

Updates released on August 11, 2009

  • Microsoft Security Bulletin MS09-037, "Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution," provides support for Windows components that are affected by the ATL vulnerabilities described in this advisory.
  • Microsoft Security Bulletin MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution," is being rereleased to offer new updates for developers who use Visual Studio to create components and controls for mobile applications using ATL for Smart Devices.

Updates released on July 28, 2009

  • Microsoft Security Bulletin MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution," goes into further detail about the specific vulnerabilities in ATL and provides the updated public ATL headers for vendors to develop updated components and controls. Our investigation has shown that there are Microsoft and third-party components and controls that are affected by this issue and that these components and controls exist on all supported editions of Windows 2000 Service Pack 4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Developers who used vulnerable versions of the ATL when building controls or components should review this bulletin and take immediate action if their controls are vulnerable.
  • Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer," includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. These defense-in-depth protections monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX's kill bit security feature. These protections are designed to help protect customers from Web-based attacks.
  • We are not aware of any methods or controls included with Windows 7 that would allow attacks to be successful through Internet Explorer.

Update released on July 14, 2009

  • Microsoft Security Bulletin MS09-032, "Cumulative Security Update of ActiveX Kill Bits," provided ActiveX security measures (a kill bit) that prevented the msvidctl control from running in Internet Explorer. The exploit in msvidcntl took advantage of a vulnerability in the private version of ATL. In this specific instance, the vulnerability allows an attacker to corrupt memory, which may lead to a remote code execution. The kill bits issued in the June release for msvidctl (MS09-032) will block the public exploits as described here.

General Information

Overview

Purpose of Advisory: This advisory was released to provide customers with initial notification of the publicly disclosed vulnerability. For more information, see the Workarounds, Mitigating Factors, and Suggested Actions sections of this security advisory.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

ReferencesIdentification
CVE ReferenceCVE-2009-0901
CVE-2009-2493
CVE-2009-2495
CVE-2008-0015
Security BulletinMS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution"

MS09-034, "Cumulative Security Update for Internet Explorer"

MS09-032, "Cumulative Security Update of ActiveX Kill Bits"
Microsoft Knowledge Base ArticleMS09-035:
Microsoft Knowledge Base Article 969706

MS09-034:
Microsoft Knowledge Base Article 972260

MS09-032:
Microsoft Knowledge Base Article 973346

This advisory discusses the following software.

Affected Software
Microsoft Windows
Controls and components created using vulnerable Active Template Library
Microsoft Live Services
Windows Live Messenger (versions less than 14.0.8089)
Windows Live Hotmail "Attach Photo" feature

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of vulnerabilities affecting components and controls built using public and private versions of the Active Template Library (ATL). The advisory aims to make users aware of updates that help mitigate the risk of vulnerable controls and components, provide guidance and direction to developers who have built controls and components using the vulnerable ATL, and to IT professionals on how to protect and install mitigations in their environment.

Will Microsoft release additional security updates related to this Security Advisory in the future?
Microsoft's investigation into the private and public headers of ATL is ongoing and we will release security updates and guidance as appropriate as part of the investigation process.

Was the msvidctl vulnerability (MS09-032) related to this ATL update?
Yes, the exploit in msvidctl took advantage of a vulnerability in the private version of ATL. In this specific instance, the vulnerability allows an attacker to corrupt memory, which may lead to a remote code execution. MS09-032, previously issued in the July 14 release, blocks known attacks for msvidctl. For more information on the exploit in msvidctl, see http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx.

Will the Internet Explorer update (ms09-034) also protect against msvidctl attacks?
Yes, the Internet Explorer mitigations will protect against the exploitation of the known vulnerabilities in the public and private versions of ATL, including the msvidctl attacks.

What is ATL?
The Active Template Library (ATL) is a set of template-based C++ classes that lets you create small, fast Component Object Model (COM) objects. ATL has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls. For more information, see the MSDN article, ATL.

What causes this threat in ATL?
The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. For more information on the vulnerabilities addressed in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

What are the differences between the public and private versions of the Active Template Library?
The private version of the Active Template Library is used by Microsoft developers to build controls and components. Microsoft has updated all versions of the Active Template Library used by our developers.

The public version of the Active Template Library is distributed to customers through developer tools, such as Microsoft Visual Studio. Microsoft is providing an updated version of our public ATL through Microsoft Security Bulletin MS09-035.

Will the security vulnerabilities in ATL require Microsoft and third-party developers to issue security updates?
Yes. In addition to the bulletin updates described in this advisory, Microsoft is performing a comprehensive investigation of Microsoft controls and components. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-band security update, depending on customer needs.

Microsoft is also providing guidance and is actively contacting major third-party developers to help them identify vulnerable controls and components. This may result in security updates for third party controls and components.

Frequently Asked Questions about Windows Live Services

How will the upgrade to Windows Live Messenger be distributed?
Upon signing on to Windows Live Messenger service, users of Windows Live Messenger 8.1, Windows Live Messenger 8.5, and Windows Live Messenger 14.0 on supported releases of Windows will be prompted by the client deployment mechanism in the Windows Live Messenger service to accept the upgrade to Windows Live Messenger 14.0.8089. Also, users who desire to download the upgrade to Windows Live Messenger 14.0.8089 immediately may do so by using the Windows Live Download Center. Otherwise, users of vulnerable versions of the Windows Live Messenger clients may not be allowed to connect to the Windows Live Messenger service.

Why is Microsoft releasing the upgrade to Windows Live Messenger over the Windows Live Messenger service as well as providing downloads?
Microsoft currently issues upgrades for the Windows Live Messenger client using the Windows Live Messenger service because these online services have their own client deployment mechanism. However, Microsoft Download Center links are also available for specific Windows Live Messenger clients. Users who desire to download the upgrades immediately may do so at the Windows Live Download Center.

If this is an upgrade, how can I detect if I have a vulnerable version of Windows Live Messenger?
When you attempt to sign on to the Windows Live Messenger service, the client deployment mechanism will automatically determine your current client version and platform and if required, recommend the appropriate upgrade. Also, you may verify your Windows Live Messenger client version by clicking Help and then About.

What happens if I do not upgrade to the most current version of Windows Live Messenger?
If you do not upgrade to a non-affected version of the Windows Live Messenger client, depending on your platform, you will be notified to upgrade on each attempt to sign on. If you do not accept the upgrade, you may not be allowed access to Windows Live Messenger service.

Are other Microsoft Real-Time Collaboration applications, like Windows Messenger or Office Communicator, affected by this vulnerability?
No. Other messaging applications are not affected as they do not contain the vulnerable component.

When did Microsoft remove the Windows Live Hotmail "Attach Photo" feature? Did it coincide with the launch of another new feature?
Microsoft recently made the decision to remove the feature on a short-term basis in order to fix the issue. The temporary removal of this feature did not coincide with the launch of another feature.

What is latest timetable for the "Attach Photo" feature to be fully restored to all Windows Live Hotmail users?
Microsoft is actively working to correct the problem. In the meantime, you are still able to add pictures as attachments to your Hotmail messages by clicking Attach, and then selecting the picture you want to include.

Frequently Asked Questions from Developers about the Visual Studio Update

What causes this threat in ATL?
The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. For more information on the vulnerabilities addressed in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

What might an attacker use this vulnerability to do?
For controls and components built using ATL, unsafe usage of certain macros could allow the instantiation of arbitrary objects that can bypass related ActiveX security policy (i.e. kill bits) within Internet Explorer. Additionally, components and controls built using the vulnerable version of ATL may be vulnerable to remote code execution or information disclosure threats. If a user is logged on with administrative user rights, and they have a vulnerable control on their system, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

I am a third-party application developer and I use ATL in my component or control. Is my component or control vulnerable, and if so, how do I update it?
Components and controls may be affected by this issue if certain conditions are met during the building of the component or control. MS09-035 contains additional information, examples, and guidance that third-party developers can use to detect and correct vulnerable components and controls.

What does the Security Update for Visual Studio do?
These updates address vulnerabilities in the Microsoft Active Template Library (ATL) that could allow a remote, unauthenticated user to run arbitrary code on an affected system. These vulnerabilities are in some cases caused by the way that ATL is used, and in other cases by the ATL code itself. Since these vulnerabilities affect ATL, components or controls that were developed using ATL may expose customers using the affected controls and components to remote code execution scenarios.

The security update for Visual Studio updates the vulnerable version of the ATL used by Visual Studio. This allows Visual Studio users to modify and re-build their controls and components using an updated version of the ATL.

Our investigation has shown that both Microsoft and third-party components and controls may be affected by this issue. Therefore, all affected vendors must modify, and rebuild, their components and controls using the corrected ATL provided in Microsoft Security Bulletin MS09-035.

Frequently Asked Questions from IT Professionals about what they can do to protect themselves

Does the IE update MS09-034 protect me from all components and controls that were built on the vulnerable version of ATL?
To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and in Microsoft Security Bulletin MS09-035. Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer," includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities.

Microsoft is continuing to investigate all Microsoft controls and components and is helping third party developers evaluate their controls and components.

What action can an IT professional take to mitigate exposure to this issue?
Microsoft strongly recommends that IT professionals immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer."

Frequently Asked Questions about what Consumers can do to protect themselves

What action can consumers take to mitigate exposure to this issue?
To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and in Microsoft Security Bulletin MS09-035. Microsoft strongly recommends that consumers turn on Automatic Update and immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer." Home users who receive updates automatically will receive the mitigations provided in the cumulative IE update and other security updates related to this issue, and do not have to take further action.

Microsoft also encourages Home users to upgrade to Internet Explorer 8 to benefit from enhanced security and protections.

Frequently asked Questions about the mitigations in Internet Explorer Update

What causes this threat which could allow the bypass of ActiveX security?
ActiveX controls built with vulnerable ATL methods may not correctly validate information. This could result in an ActiveX control that allows memory corruption, or allows an attacker to leverage a trusted ActiveX control to load an un-trusted ActiveX control that had been previously blocked from running in Internet Explorer.

The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8, that monitor and prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing the IE kill bit security feature. These protections are designed to protect customers from Web-based attacks.

What might an attacker use this function to do?
An attacker who successfully exploited this vulnerability on Windows Vista or Windows 2008 would only gain rights as a restricted user due to Protect Mode in Internet Explorer. On other Windows systems, the attacker could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an Attacker use this function?
An attacker could host a Web site that is designed to host a specially crafted ActiveX control and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an instant messenger request that takes users to the attacker's Web site.

What is a kill bit?
A security feature in Microsoft Internet Explorer makes it possible to prevent an ActiveX control from being loaded by the Internet Explorer HTML-rendering engine. This is done by making a registry setting and is referred to as "setting the kill bit." After the kill bit is set, the control can never be loaded, even when it is fully installed. Setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless.

For more information on kill bits, see Microsoft Knowledge Base Article 240797: How to stop an ActiveX control from running in Internet Explorer. For more detailed information on kill bits and how they function within Internet Explorer see the following Security Research and Defense blog post.

What does the update do?
The update strengthens the ActiveX security mechanism by providing validation when unsafe methods are used by ActiveX controls using vulnerable ATL headers in specific configurations.

Does this update change functionality?
Yes. This update no longer allows specific sets of ATL methods to run within Internet Explorer. The update mitigates the risk of bypassing active security by preventing trusted ActiveX controls from loading un-trusted controls

Does this update contain additional software changes?
Yes. This update also contains additional security fixes and other updates to Internet Explorer as part of the cumulative update for Internet Explorer.

Does this update address all unsafe ActiveX control scenarios?
No. This update specifically addresses unsafe/un-trusted ActiveX controls that may be vulnerable to the ATL issues described in this Advisory to protect customers from attack when browsing the Internet.

Microsoft is continuing to investigate this issue. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-band security update, depending on customer needs.

How does Protected Mode in Internet Explorer 7 and Internet Explorer 8 on Windows Vista and later protect me from this vulnerability?
Internet Explorer 7 and Internet Explorer 8 on Windows Vista and later operating systems run in Protected Mode by default in the Internet security zone. Protected Mode significantly reduces the ability of an attacker to write, alter, or destroy data on the users machine or to install malicious code. This is accomplished by using the integrity mechanisms of Windows Vista and later, which restrict access to processes, files, and registry keys with higher integrity levels.

What is Data Execution Prevention (DEP)?
Data Execution Prevention (DEP) is enabled by default in Internet Explorer 8. DEP is designed to help foil attacks by preventing code from running in memory that is marked non-executable. For more information about DEP in Internet Explorer, please see the following post: http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx.

Suggested Actions

  • Review the Microsoft Knowledge Base Article that is associated with this advisory

    Customers who are interested in learning more about the ATL issues should review Microsoft Knowledge Base Article 973882.
  • Apply the updates associated with security bulletins MS09-034 and MS09-035

    Customers with affected systems can download the updates from Microsoft Knowledge Base Article 969706 and from Microsoft Knowledge Base Article 972260. The Internet Explorer update provides new mitigations that prevent the instantiation of vulnerable ActiveX controls within Internet Explorer 7 and 8. The Visual Studio update allows developers to create ActiveX controls that are not affect by these vulnerabilities.
  • Protect Your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.
  • For more information about staying safe on the Internet, customers should visit Microsoft Security Central.
  • Keep Windows Updated

    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Workarounds

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of Workaround: There are side effects to prompting before running ActiveX controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone .

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To accomplish this, follow these steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Internet, and then click Custom Level.
  4. Under Settings, in the Scripting section, under Active Scripting, click Promptor Disable, and then click OK.
  5. Click Local intranet, and then click Custom Level.
  6. Under Settings, in the Scripting section, under Active Scripting, click Promptor Disable, and then click OK.
  7. Click OK two times to return to Internet Explorer.

Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To accomplish this, follow these steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/973882.mspx

CWE : Common Weakness Enumeration

% Id Name
25 % CWE-264 Permissions, Privileges, and Access Controls
25 % CWE-200 Information Exposure
25 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
25 % CWE-94 Failure to Control Generation of Code ('Code Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6245
 
Oval ID: oval:org.mitre.oval:def:6245
Title: ATL COM Initialization Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2493
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Outlook Express
Windows Media Player
Windows ATL Component
DHTML Editing Component ActiveX Control
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6289
 
Oval ID: oval:org.mitre.oval:def:6289
Title: ATL Uninitialized Object Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0901
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Outlook Express
Windows Media Player
Windows ATL Component
DHTML Editing Component ActiveX Control
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6304
 
Oval ID: oval:org.mitre.oval:def:6304
Title: ATL COM Initialization Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2493
Version: 13
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Visual Studio .NET 2003
Microsoft Visual Studio 2005
Microsoft Visual Studio 2008
Microsoft Visual C++ 2005 Redistributable Package
Microsoft Visual C++ 2008 Redistributable Package
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6305
 
Oval ID: oval:org.mitre.oval:def:6305
Title: ATL Null String Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1 does not properly enforce string termination, which allows remote attackers to obtain sensitive information via a crafted HTML document with an ATL (1) component or (2) control that triggers a buffer over-read, related to ATL headers and buffer allocation, aka "ATL Null String Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2495
Version: 15
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Visual Studio .NET 2003
Microsoft Visual Studio 2005
Microsoft Visual Studio 2008
Microsoft Visual C++ 2005 Redistributable Package
Microsoft Visual C++ 2008 Redistributable Package
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6311
 
Oval ID: oval:org.mitre.oval:def:6311
Title: ATL Uninitialized Object Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0901
Version: 13
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Visual Studio .NET 2003
Microsoft Visual Studio 2005
Microsoft Visual Studio 2008
Microsoft Visual C++ 2005 Redistributable Package
Microsoft Visual C++ 2008 Redistributable Package
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6333
 
Oval ID: oval:org.mitre.oval:def:6333
Title: Microsoft Video ActiveX Control Vulnerability
Description: Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2008-0015
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6363
 
Oval ID: oval:org.mitre.oval:def:6363
Title: Microsoft Video ActiveX Control Vulnerability
Description: Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2008-0015
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Outlook Express
Windows Media Player
Windows ATL Component
DHTML Editing Component ActiveX Control
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6373
 
Oval ID: oval:org.mitre.oval:def:6373
Title: ATL Uninitialized Object Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0901
Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Product(s): Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Outlook 2007
Microsoft Visio Viewer 2002
Microsoft Office Visio Viewer 2003
Microsoft Office Visio Viewer 2007
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6421
 
Oval ID: oval:org.mitre.oval:def:6421
Title: ATL COM Initialization Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2493
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6473
 
Oval ID: oval:org.mitre.oval:def:6473
Title: ATL COM Initialization Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2493
Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Product(s): Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Outlook 2007
Microsoft Visio Viewer 2002
Microsoft Office Visio Viewer 2003
Microsoft Office Visio Viewer 2007
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6478
 
Oval ID: oval:org.mitre.oval:def:6478
Title: ATL Null String Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1 does not properly enforce string termination, which allows remote attackers to obtain sensitive information via a crafted HTML document with an ATL (1) component or (2) control that triggers a buffer over-read, related to ATL headers and buffer allocation, aka "ATL Null String Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2495
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Product(s): Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Outlook 2007
Microsoft Visio Viewer 2002
Microsoft Office Visio Viewer 2003
Microsoft Office Visio Viewer 2007
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6621
 
Oval ID: oval:org.mitre.oval:def:6621
Title: ATL COM Initialization Vulnerability (CVE-2009-2493)
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2493
Version: 1
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6716
 
Oval ID: oval:org.mitre.oval:def:6716
Title: ATL COM Initialization Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2493
Version: 37
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Product(s): Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Outlook 2007
Microsoft Visio Viewer 2002
Microsoft Office Visio Viewer 2003
Microsoft Office Visio Viewer 2007
Microsoft Internet Explorer 5
Microsoft Internet Explorer 6
Microsoft Visual Studio .NET 2003
Microsoft Visual Studio 2005
Microsoft Visual Studio 2008
Microsoft Visual C++ 2005 Redistributable Package
Microsoft Visual C++ 2008 Redistributable Package
Microsoft Outlook Express 5.5
Microsoft Outlook Express 6.0
Windows Media Player 9
Windows Media Player 10
Windows Media Player 11
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7436
 
Oval ID: oval:org.mitre.oval:def:7436
Title: Microsoft Video ActiveX Control Vulnerability
Description: Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2008-0015
Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Outlook Express
Windows Media Player
Windows ATL Component
DHTML Editing Component ActiveX Control
HtmlInput Object ActiveX Control
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7573
 
Oval ID: oval:org.mitre.oval:def:7573
Title: ATL Null String Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1 does not properly enforce string termination, which allows remote attackers to obtain sensitive information via a crafted HTML document with an ATL (1) component or (2) control that triggers a buffer over-read, related to ATL headers and buffer allocation, aka "ATL Null String Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-2495
Version: 24
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Outlook 2007
Microsoft Visio Viewer 2002
Microsoft Office Visio Viewer 2003
Microsoft Office Visio Viewer 2007
Microsoft Visual Studio .NET 2003
Microsoft Visual Studio 2005
Microsoft Visual Studio 2008
Microsoft Visual C++ 2005 Redistributable Package
Microsoft Visual C++ 2008 Redistributable Package
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7581
 
Oval ID: oval:org.mitre.oval:def:7581
Title: ATL Uninitialized Object Vulnerability
Description: The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0901
Version: 35
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Outlook 2007
Microsoft Visio Viewer 2002
Microsoft Office Visio Viewer 2003
Microsoft Office Visio Viewer 2007
Microsoft Visual Studio .NET 2003
Microsoft Visual Studio 2005
Microsoft Visual Studio 2008
Microsoft Visual C++ 2005 Redistributable Package
Microsoft Visual C++ 2008 Redistributable Package
Microsoft Outlook Express 5.5
Microsoft Outlook Express 6.0
Windows Media Player 9
Windows Media Player 10
Windows Media Player 11
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 6
Application 5
Application 1
Os 1
Os 4
Os 2
Os 3
Os 5

SAINT Exploits

Description Link
Microsoft DirectShow Video Streaming ActiveX IMPEG2TuneRequest Overflow More info here
Visual Studio Active Template Library uninitialized object More info here

OpenVAS Exploits

Date Description
2010-03-16 Name : FreeBSD Ports: openoffice.org
File : nvt/freebsd_openoffice.org.nasl
2009-12-04 Name : MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability
File : nvt/gb_ms_ie_style_object_remote_code_exec_vuln.nasl
2009-11-11 Name : SLES11: Security update for IBM Java 1.6.0
File : nvt/sles11_java-1_6_0-ibm1.nasl
2009-10-14 Name : Microsoft Windows ATL COM Initialization Code Execution Vulnerability (973525)
File : nvt/secpod_ms09-055.nasl
2009-10-14 Name : MS ATL ActiveX Controls for MS Office Could Allow Remote Code Execution (973965)
File : nvt/secpod_ms09-060.nasl
2009-08-14 Name : Vulnerabilities in Microsoft ATL Could Allow Remote Code Execution (973908)
File : nvt/secpod_ms09-037.nasl
2009-08-03 Name : Microsoft Visual Studio ATL Remote Code Execution Vulnerability (969706)
File : nvt/secpod_ms09-035.nasl
2009-07-09 Name : Microsoft Video ActiveX Control 'msvidctl.dll' BOF Vulnerability
File : nvt/gb_ms_video_actvx_bof_vuln_jul09.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
56699 Microsoft Visual Studio Active Template Library (ATL) String Manipulation Arb...

56698 Microsoft Visual Studio Active Template Library (ATL) Data Stream Object Inst...

56696 Microsoft Visual Studio Active Template Library (ATL) Headers VariantClear Co...

55651 Microsoft DirectShow Video Streaming ActiveX (msvidctl.dll) IMPEG2TuneRequest...

A buffer overflow exists in Windows. The DirectShow ActiveX control fails to validate data passed to the IMPEG2TuneRequest interface resulting in a stack overflow. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

Information Assurance Vulnerability Management (IAVM)

Date Description
2009-10-15 IAVM : 2009-A-0097 - Multiple Vulnerabilities in Microsoft Active Template Library
Severity : Category II - VMSKEY : V0021756
2009-08-13 IAVM : 2009-A-0067 - Multiple Vulnerabilities in Microsoft Active Template Library
Severity : Category II - VMSKEY : V0019882
2009-07-30 IAVM : 2009-B-0033 - Multiple Vulnerabilities in Visual Studio Active Template Library
Severity : Category II - VMSKEY : V0019798

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Windows Media Player DirectShow MPEG-2 memory corruption attempt
RuleID : 20744 - Revision : 7 - Type : OS-WINDOWS
2014-01-10 Microsoft DirectShow 3 ActiveX exploit via JavaScript
RuleID : 16602 - Revision : 10 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Excel Add-in for SQL Analysis Services 4 ActiveX clsid unicode access
RuleID : 16166 - Revision : 6 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Office Excel Add-in for SQL Analysis Services 4 ActiveX clsid access
RuleID : 16165 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Excel Add-in for SQL Analysis Services 3 ActiveX clsid unicode access
RuleID : 16164 - Revision : 6 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Office Excel Add-in for SQL Analysis Services 3 ActiveX clsid access
RuleID : 16163 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Excel Add-in for SQL Analysis Services 2 ActiveX clsid unicode access
RuleID : 16162 - Revision : 6 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Office Excel Add-in for SQL Analysis Services 2 ActiveX clsid access
RuleID : 16161 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Excel Add-in for SQL Analysis Services 1 ActiveX clsid unicode access
RuleID : 16160 - Revision : 6 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Office Excel Add-in for SQL Analysis Services 1 ActiveX clsid access
RuleID : 16159 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 6 ActiveX function call unicode access
RuleID : 15905 - Revision : 6 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 6 ActiveX function call access
RuleID : 15904 - Revision : 6 - Type : WEB-ACTIVEX
2014-01-10 Microsoft DirectShow ActiveX exploit via JavaScript - unicode encoding
RuleID : 15679 - Revision : 12 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft DirectShow ActiveX exploit via JavaScript
RuleID : 15678 - Revision : 10 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 9 ActiveX clsid unicode access
RuleID : 15677 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 9 ActiveX clsid access
RuleID : 15676 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 8 ActiveX clsid unicode access
RuleID : 15675 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 8 ActiveX clsid access
RuleID : 15674 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 7 ActiveX clsid unicode access
RuleID : 15673 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 7 ActiveX clsid access
RuleID : 15672 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 6 ActiveX function call
RuleID : 15671 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 6 ActiveX clsid access
RuleID : 15670 - Revision : 18 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 5 ActiveX clsid unicode access
RuleID : 15669 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 5 ActiveX clsid access
RuleID : 15668 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 45 ActiveX clsid unicode access
RuleID : 15667 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 45 ActiveX clsid access
RuleID : 15666 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 44 ActiveX clsid unicode access
RuleID : 15665 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 44 ActiveX clsid access
RuleID : 15664 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 43 ActiveX clsid unicode access
RuleID : 15663 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 43 ActiveX clsid access
RuleID : 15662 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 42 ActiveX clsid unicode access
RuleID : 15661 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 42 ActiveX clsid access
RuleID : 15660 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 41 ActiveX clsid unicode access
RuleID : 15659 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 41 ActiveX clsid access
RuleID : 15658 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 40 ActiveX clsid unicode access
RuleID : 15657 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 40 ActiveX clsid access
RuleID : 15656 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 4 ActiveX clsid unicode access
RuleID : 15655 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 4 ActiveX clsid access
RuleID : 15654 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 39 ActiveX clsid unicode access
RuleID : 15653 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 39 ActiveX clsid access
RuleID : 15652 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 38 ActiveX clsid unicode access
RuleID : 15651 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 38 ActiveX clsid access
RuleID : 15650 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 37 ActiveX clsid unicode access
RuleID : 15649 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 37 ActiveX clsid access
RuleID : 15648 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 36 ActiveX clsid unicode access
RuleID : 15647 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 36 ActiveX clsid access
RuleID : 15646 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 35 ActiveX clsid unicode access
RuleID : 15645 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 35 ActiveX clsid access
RuleID : 15644 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 34 ActiveX clsid unicode access
RuleID : 15643 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 34 ActiveX clsid access
RuleID : 15642 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 33 ActiveX clsid unicode access
RuleID : 15641 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 33 ActiveX clsid access
RuleID : 15640 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 32 ActiveX clsid unicode access
RuleID : 15639 - Revision : 10 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 32 ActiveX clsid access
RuleID : 15638 - Revision : 18 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 31 ActiveX clsid unicode access
RuleID : 15637 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 31 ActiveX clsid access
RuleID : 15636 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 30 ActiveX clsid unicode access
RuleID : 15635 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 30 ActiveX clsid access
RuleID : 15634 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 3 ActiveX clsid unicode access
RuleID : 15633 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 3 ActiveX clsid access
RuleID : 15632 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 29 ActiveX clsid unicode access
RuleID : 15631 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 29 ActiveX clsid access
RuleID : 15630 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 28 ActiveX clsid unicode access
RuleID : 15629 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 28 ActiveX clsid access
RuleID : 15628 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 27 ActiveX clsid unicode access
RuleID : 15627 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 27 ActiveX clsid access
RuleID : 15626 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 26 ActiveX clsid unicode access
RuleID : 15625 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 26 ActiveX clsid access
RuleID : 15624 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 25 ActiveX clsid unicode access
RuleID : 15623 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 25 ActiveX clsid access
RuleID : 15622 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 24 ActiveX clsid unicode access
RuleID : 15621 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 24 ActiveX clsid access
RuleID : 15620 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 23 ActiveX clsid unicode access
RuleID : 15619 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 23 ActiveX clsid access
RuleID : 15618 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 22 ActiveX clsid unicode access
RuleID : 15617 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 22 ActiveX clsid access
RuleID : 15616 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 21 ActiveX clsid unicode access
RuleID : 15615 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 21 ActiveX clsid access
RuleID : 15614 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 20 ActiveX clsid unicode access
RuleID : 15613 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 20 ActiveX clsid access
RuleID : 15612 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 2 ActiveX clsid unicode access
RuleID : 15611 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 2 ActiveX clsid access
RuleID : 15610 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 19 ActiveX clsid unicode access
RuleID : 15609 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 19 ActiveX clsid access
RuleID : 15608 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 18 ActiveX clsid unicode access
RuleID : 15607 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 18 ActiveX clsid access
RuleID : 15606 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 17 ActiveX clsid unicode access
RuleID : 15605 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 17 ActiveX clsid access
RuleID : 15604 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 16 ActiveX clsid unicode access
RuleID : 15603 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 16 ActiveX clsid access
RuleID : 15602 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 15 ActiveX clsid unicode access
RuleID : 15601 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 15 ActiveX clsid access
RuleID : 15600 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 14 ActiveX clsid unicode access
RuleID : 15599 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 14 ActiveX clsid access
RuleID : 15598 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 13 ActiveX clsid unicode access
RuleID : 15597 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 13 ActiveX clsid access
RuleID : 15596 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 12 ActiveX clsid unicode access
RuleID : 15595 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 12 ActiveX clsid access
RuleID : 15594 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 11 ActiveX clsid unicode access
RuleID : 15593 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 11 ActiveX clsid access
RuleID : 15592 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 10 ActiveX clsid unicode access
RuleID : 15591 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 10 ActiveX clsid access
RuleID : 15590 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Video 1 ActiveX clsid unicode access
RuleID : 15589 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10 Microsoft Video 1 ActiveX clsid access
RuleID : 15588 - Revision : 13 - Type : BROWSER-PLUGINS

Nessus® Vulnerability Scanner

Date Description
2011-01-27 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_flash-player-6386.nasl - Type : ACT_GATHER_INFO
2010-10-11 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_java-1_5_0-ibm-6741.nasl - Type : ACT_GATHER_INFO
2010-03-01 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_c97d7a37223311df96dd001b2134ef46.nasl - Type : ACT_GATHER_INFO
2010-02-12 Name : The remote Windows host has a program affected by multiple buffer overflows.
File : openoffice_32.nasl - Type : ACT_GATHER_INFO
2010-01-08 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_java-1_5_0-ibm-6740.nasl - Type : ACT_GATHER_INFO
2009-12-27 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12564.nasl - Type : ACT_GATHER_INFO
2009-12-08 Name : Arbitrary code can be executed on the remote host through a web browser.
File : smb_nt_ms09-072.nasl - Type : ACT_GATHER_INFO
2009-11-05 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_java-1_6_0-ibm-091102.nasl - Type : ACT_GATHER_INFO
2009-10-14 Name : Arbitrary code can be executed on the remote host through Microsoft Office Ac...
File : smb_nt_ms09-060.nasl - Type : ACT_GATHER_INFO
2009-10-13 Name : The remote Windows host has multiple ActiveX controls that are affected by mu...
File : smb_nt_ms09-055.nasl - Type : ACT_GATHER_INFO
2009-10-06 Name : The remote openSUSE host is missing a security update.
File : suse_flash-player-6387.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_flash-player-090731.nasl - Type : ACT_GATHER_INFO
2009-08-11 Name : Arbitrary code can be executed on the remote host through Microsoft Active Te...
File : smb_nt_ms09-037.nasl - Type : ACT_GATHER_INFO
2009-08-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_flash-player-090731.nasl - Type : ACT_GATHER_INFO
2009-08-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_flash-player-090731.nasl - Type : ACT_GATHER_INFO
2009-07-30 Name : Arbitrary code can be executed on the remote host through Microsoft Active Te...
File : smb_nt_ms09-035.nasl - Type : ACT_GATHER_INFO
2009-07-30 Name : The remote Windows host contains a browser plugin that is affected by multipl...
File : flash_player_apsb09_10.nasl - Type : ACT_GATHER_INFO
2009-07-29 Name : The remote Windows host contains an Internet Explorer plugin which uses a vul...
File : shockwave_player_apsb09_11.nasl - Type : ACT_GATHER_INFO
2009-07-07 Name : The remote Windows host is missing a security update containing ActiveX kill ...
File : smb_kb_972890.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-05-11 00:46:47
  • Multiple Updates