The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Windows, IE, OE, Media: code execution via ATL

Synthesis of the vulnerability 

Several vulnerabilities of Microsoft ATL (Active Template Library) impact Microsoft products.
Impacted products: IE, OE, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP.
Severity of this bulletin: 4/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/08/2009.
Références of this threat: 973908, BID-35558, BID-35982, CERTA-2009-AVI-278, CERTA-2009-AVI-300, CERTA-2009-AVI-325, CERTA-2009-AVI-435, CERTA-2009-AVI-440, CERTA-2009-AVI-516, CERTA-2009-AVI-538, CERTA-2010-AVI-083, CVE-2008-0015, CVE-2008-0020, CVE-2009-0901, CVE-2009-2493, CVE-2009-2494, MS09-037, VIGILANCE-VUL-8937, VU#180513.

Description of the vulnerability 

The Visual Studio development environment provides the ATL (Active Template Library) library, which is used to create ActiveX, and contains several vulnerabilities described in VIGILANCE-VUL-8895. Several ActiveX produced by Microsoft are linked to ATL, and are thus also impacted by these vulnerabilities. Moreover, some products are linked to a private version of ATL and are impacted by vulnerabilities which do not impact the public version of Visual Studio.

The Microsoft Video ActiveX is linked to a private version of ATL, which contains a vulnerability in the CComVariant::ReadFromStream() function. This vulnerability leads to code execution, and was described in VIGILANCE-VUL-8841. [severity:4/4; BID-35558, CERTA-2009-AVI-278, CERTA-2009-AVI-325, CVE-2008-0015, VU#180513]

The Microsoft Video ActiveX is linked to a private version of ATL, which contains a vulnerability in the IPersistStreamInit::Load() function. This vulnerability leads to code execution. [severity:4/4; CVE-2008-0020]

Several Microsoft ActiveX are linked to the public version of ATL, and are thus impacted by the CVE-2009-0901 vulnerability described in VIGILANCE-VUL-8895, which can be used to execute code. [severity:4/4; CERTA-2009-AVI-300, CERTA-2009-AVI-440, CERTA-2009-AVI-516, CERTA-2010-AVI-083, CVE-2009-0901]

Several Microsoft ActiveX are linked to the public version of ATL, and are thus impacted by the CVE-2009-2493 vulnerability described in VIGILANCE-VUL-8895, which can be used to instanciate all ActiveX (even those with the Kill Bit). [severity:4/4; CERTA-2009-AVI-435, CERTA-2009-AVI-538, CVE-2009-2493]

Several Microsoft ActiveX are linked to a private version of ATL, which contains a vulnerability in the handling of Variants, and leads to code execution. [severity:4/4; BID-35982, CVE-2009-2494]

An attacker can therefore create an HTML page containing one of these ActiveX in order to execute code on victim's computer.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat announce impacts software or systems such as IE, OE, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP.

Our Vigil@nce team determined that the severity of this computer vulnerability is critical.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 5 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity alert.

Solutions for this threat 

Windows, IE, OE, Media: patch for ATL.
The Microsoft announce indicates patches and workarounds.

Windows: workaround for ATL.
The 973882 document is a synthesis of ATL workarounds.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.