Overview
ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as "safe for scripting," which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as "safe for initialization," which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls. |
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code. |
Solution
Apply an update This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) |
| Environmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) |
References
- http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
- http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
- http://www.microsoft.com/security/atl.aspx
- http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
- http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
- http://blogs.technet.com/ecostrat/archive/2009/07/27/threat-complexity-requires-new-levels-of-collaboration.aspx
- http://www.microsoft.com/technet/security/advisory/973882.mspx
- http://msdn.microsoft.com/en-us/library/ms680103(VS.85).aspx
- http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx
- http://msdn.microsoft.com/en-us/library/t9adwcde(VS.80).aspx
- http://support.microsoft.com/kb/168371
- http://support.microsoft.com/kb/240797
- http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html
- http://www.adobe.com/support/security/advisories/apsa09-04.html
- http://www.adobe.com/support/security/bulletins/apsb09-10.html
- http://www.adobe.com/support/security/bulletins/apsb09-11.html
- http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html
- http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx
- http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx
- http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx
- http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
- http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx
- http://support.softartisans.com/kbview.aspx?ID=1331
Acknowledgements
Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2009-0901, CVE-2009-2493, CVE-2009-2495 |
| Severity Metric: | 47.08 |
| Date Public: | 2009-07-09 |
| Date First Published: | 2009-07-28 |
| Date Last Updated: | 2010-02-24 15:28 UTC |
| Document Revision: | 44 |