29 July 2009
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1101 Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) 29 July 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Visual Studio .NET 2003 Service Pack 1 Microsoft Visual Studio 2005 Service Pack 1 Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools Microsoft Visual Studio 2008 Microsoft Visual Studio 2008 Service Pack 1 Microsoft Visual C++ 2005 Service Pack 1 Microsoft Visual C++ 2008 Microsoft Visual C++ 2008 Service Pack 1 Publisher: Microsoft Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch CVE Names: CVE-2009-2495 CVE-2009-2493 CVE-2009-0901 Original Bulletin: http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx Comment: As there is a vulnerability in the Microsoft Active Template Library (ATL), it is possible that third party applications using this library could also be vulnerable. Anyone who is authoring their own components and controls utilizing ATL (which may include software other than ActiveX controls) should use the updated libraries available for Visual Studio and make their updated software available to their user-base as soon as practical. Additionally ICASI have released a scanning service to aid developers in identifying potential vulnerabilities in ActiveX controls and components built with Microsoft's Active Template Libraries (ATL). For details see http://isaci.org - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS09-035 - Moderate Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) Published: July 28, 2009 Version: 1.0 General Information Executive Summary This security update addresses several privately reported vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. This security update is specifically intended for developers of components and controls. Developers who build and redistribute components and controls using ATL should install the update provided in this bulletin and follow the guidance provided to create, and distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin. This security bulletin discusses vulnerabilities that could allow remote code execution if a user loaded a component or control built with the vulnerable versions of ATL. While most Microsoft Security Bulletins discuss the risk of a vulnerability for a specific product, this security bulletin discusses the vulnerabilities that may be present in products built using the ATL. Therefore, this security update is rated Moderate for all supported editions of Microsoft Visual Studio .NET 2003, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005 Redistributable Package, and Microsoft Visual C++ 2008 Redistributable Package. For more information on the impact of, and workarounds and mitigations for controls and components that may be vulnerable to these issues, please see Microsoft Security Advisory (973882). The security update addresses the vulnerabilities by modifying the ATL headers so that components and controls built using the headers can safely initialize from a data stream. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information. Recommendation. Developers who have built components and controls using ATL should download this update and recompile their components and controls following the guidance provided in the following MSDN article. The majority of Visual Studio customers who have automatic updating enabled will receive this update automatically and receive the updated ATL. However, as noted earlier, additional steps will be needed to update potentially vulnerable controls and components. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For administrators and enterprise installations or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. Known Issues. Microsoft Knowledge Base Article 969706 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. Affected Software Microsoft Visual Studio .NET 2003 Service Pack 1 Microsoft Visual Studio 2005 Service Pack 1 Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools Microsoft Visual Studio 2008 Microsoft Visual Studio 2008 Service Pack 1 Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package Microsoft Visual C++ 2008 Redistributable Package Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package Vulnerability Information ATL Uninitialized Object Vulnerability - CVE-2009-0901 A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to an issue in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. Because of this, the attacker can control what happens when VariantClear is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. ATL COM Initialization Vulnerability - CVE-2009-2493 A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to issues in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. ATL Null String Vulnerability - CVE-2009-2495 An information disclosure vulnerability exists in the Microsoft Active Template Library (ATL) that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. An attacker who successfully exploited this vulnerability could run a malicious component or control that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKb5mHNVH5XJJInbgRAuhtAJ0RIJzQev4uMGcMHG6ZenxyeronHwCghNCz TtvOuF3eeynDo5R08w1tj8Q= =2RVE -----END PGP SIGNATURE-----