Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1101
Vulnerabilities in Visual Studio Active Template Library
Could Allow Remote Code Execution (969706)
29 July 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted
Visual C++ Tools
Microsoft Visual Studio 2008
Microsoft Visual Studio 2008 Service Pack 1
Microsoft Visual C++ 2005 Service Pack 1
Microsoft Visual C++ 2008
Microsoft Visual C++ 2008 Service Pack 1
Publisher: Microsoft
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch
CVE Names: CVE-2009-2495 CVE-2009-2493 CVE-2009-0901
Original Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
Comment: As there is a vulnerability in the Microsoft Active Template Library
(ATL), it is possible that third party applications using this library
could also be vulnerable. Anyone who is authoring their own components
and controls utilizing ATL (which may include software other than
ActiveX controls) should use the updated libraries available for
Visual Studio and make their updated software available to their
user-base as soon as practical.
Additionally ICASI have released a scanning service to aid developers
in identifying potential vulnerabilities in ActiveX controls and
components built with Microsoft's Active Template Libraries (ATL). For
details see http://isaci.org
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS09-035 - Moderate
Vulnerabilities in Visual Studio Active Template Library Could Allow Remote
Code Execution (969706)
Published: July 28, 2009
Version: 1.0
General Information
Executive Summary
This security update addresses several privately reported vulnerabilities
in the public versions of the Microsoft Active Template Library (ATL)
included with Visual Studio. This security update is specifically intended
for developers of components and controls. Developers who build and
redistribute components and controls using ATL should install the update
provided in this bulletin and follow the guidance provided to create, and
distribute to their customers, components and controls that are not
vulnerable to the vulnerabilities described in this security bulletin.
This security bulletin discusses vulnerabilities that could allow remote
code execution if a user loaded a component or control built with the
vulnerable versions of ATL.
While most Microsoft Security Bulletins discuss the risk of a vulnerability
for a specific product, this security bulletin discusses the vulnerabilities
that may be present in products built using the ATL. Therefore, this
security update is rated Moderate for all supported editions of Microsoft
Visual Studio .NET 2003, Microsoft Visual Studio 2005, Microsoft Visual
Studio 2008, Microsoft Visual C++ 2005 Redistributable Package, and
Microsoft Visual C++ 2008 Redistributable Package.
For more information on the impact of, and workarounds and mitigations for
controls and components that may be vulnerable to these issues, please see
Microsoft Security Advisory (973882).
The security update addresses the vulnerabilities by modifying the ATL
headers so that components and controls built using the headers can safely
initialize from a data stream. For more information about the
vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the
specific vulnerability entry under the next section, Vulnerability
Information.
Recommendation. Developers who have built components and controls using ATL
should download this update and recompile their components and controls
following the guidance provided in the following MSDN article.
The majority of Visual Studio customers who have automatic updating enabled
will receive this update automatically and receive the updated ATL. However,
as noted earlier, additional steps will be needed to update potentially
vulnerable controls and components. Customers who have not enabled automatic
updating need to check for updates and install this update manually. For
information about specific configuration options in automatic updating, see
Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations or end users who want to
install this security update manually, Microsoft recommends that customers
apply the update immediately using update management software, or by
checking for updates using the Microsoft Update service.
Known Issues. Microsoft Knowledge Base Article 969706 documents the
currently known issues that customers may experience when installing this
security update. The article also documents recommended solutions for these
issues.
Affected Software
Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools
Microsoft Visual Studio 2008
Microsoft Visual Studio 2008 Service Pack 1
Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package
Microsoft Visual C++ 2008 Redistributable Package
Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package
Vulnerability Information
ATL Uninitialized Object Vulnerability - CVE-2009-0901
A remote code execution vulnerability exists in the Microsoft Active
Template Library (ATL) due to an issue in the ATL headers that could allow
an attacker to force VariantClear to be called on a VARIANT that has not
been correctly initialized. Because of this, the attacker can control what
happens when VariantClear is called during handling of an error by supplying
a corrupt stream. This vulnerability only directly affects systems with
components and controls installed that were built using Visual Studio ATL.
This issue could allow a remote, unauthenticated user to perform remote code
execution on an affected system. An attacker could exploit the vulnerability
by constructing a specially crafted Web page. When a user views the Web
page, the vulnerability could allow remote code execution.
ATL COM Initialization Vulnerability - CVE-2009-2493
A remote code execution vulnerability exists in the Microsoft Active
Template Library (ATL) due to issues in the ATL headers that handle
instantiation of an object from data streams. This vulnerability only
directly affects systems with components and controls installed that were
built using Visual Studio ATL. For components and controls built using ATL,
unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary
objects which can bypass related security policy, such as kill bits within
Internet Explorer. This issue could allow a remote, unauthenticated user to
perform remote code execution on an affected system. An attacker could
exploit the vulnerability by constructing a specially crafted Web page.
When a user views the Web page, the vulnerability could allow remote code
execution.
ATL Null String Vulnerability - CVE-2009-2495
An information disclosure vulnerability exists in the Microsoft Active
Template Library (ATL) that could allow a string to be read without a
terminating NULL character. An attacker could manipulate this string to
read extra data beyond the end of the string and thus disclose information
in memory. This vulnerability only directly affects systems with components
and controls installed that were built using Visual Studio ATL. An attacker
who successfully exploited this vulnerability could run a malicious component
or control that could disclose information, forward user data to a third
party, or access any data on the affected systems that was accessible to the
logged-on user. Note that this vulnerability would not allow an attacker to
execute code or to elevate their user rights directly, but it could be used
to produce information that could be used to try to further compromise the
affected system.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKb5mHNVH5XJJInbgRAuhtAJ0RIJzQev4uMGcMHG6ZenxyeronHwCghNCz
TtvOuF3eeynDo5R08w1tj8Q=
=2RVE
-----END PGP SIGNATURE-----