The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability announce CVE-2008-0015 CVE-2008-0020 CVE-2009-0901

Windows, IE, OE, Media: code execution via ATL

Synthesis of the vulnerability

Several vulnerabilities of Microsoft ATL (Active Template Library) impact Microsoft products.
Impacted products: IE, OE, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP.
Severity of this bulletin: 4/4.
Consequences of an intrusion: user access/rights.
Hacker's origin: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/08/2009.
Références of this threat: 973908, BID-35558, BID-35982, CERTA-2009-AVI-278, CERTA-2009-AVI-300, CERTA-2009-AVI-325, CERTA-2009-AVI-435, CERTA-2009-AVI-440, CERTA-2009-AVI-516, CERTA-2009-AVI-538, CERTA-2010-AVI-083, CVE-2008-0015, CVE-2008-0020, CVE-2009-0901, CVE-2009-2493, CVE-2009-2494, MS09-037, VIGILANCE-VUL-8937, VU#180513.

Description of the vulnerability

The Visual Studio development environment provides the ATL (Active Template Library) library, which is used to create ActiveX, and contains several vulnerabilities described in VIGILANCE-VUL-8895. Several ActiveX produced by Microsoft are linked to ATL, and are thus also impacted by these vulnerabilities. Moreover, some products are linked to a private version of ATL and are impacted by vulnerabilities which do not impact the public version of Visual Studio.

The Microsoft Video ActiveX is linked to a private version of ATL, which contains a vulnerability in the CComVariant::ReadFromStream() function. This vulnerability leads to code execution, and was described in VIGILANCE-VUL-8841. [severity:4/4; BID-35558, CERTA-2009-AVI-278, CERTA-2009-AVI-325, CVE-2008-0015, VU#180513]

The Microsoft Video ActiveX is linked to a private version of ATL, which contains a vulnerability in the IPersistStreamInit::Load() function. This vulnerability leads to code execution. [severity:4/4; CVE-2008-0020]

Several Microsoft ActiveX are linked to the public version of ATL, and are thus impacted by the CVE-2009-0901 vulnerability described in VIGILANCE-VUL-8895, which can be used to execute code. [severity:4/4; CERTA-2009-AVI-300, CERTA-2009-AVI-440, CERTA-2009-AVI-516, CERTA-2010-AVI-083, CVE-2009-0901]

Several Microsoft ActiveX are linked to the public version of ATL, and are thus impacted by the CVE-2009-2493 vulnerability described in VIGILANCE-VUL-8895, which can be used to instanciate all ActiveX (even those with the Kill Bit). [severity:4/4; CERTA-2009-AVI-435, CERTA-2009-AVI-538, CVE-2009-2493]

Several Microsoft ActiveX are linked to a private version of ATL, which contains a vulnerability in the handling of Variants, and leads to code execution. [severity:4/4; BID-35982, CVE-2009-2494]

An attacker can therefore create an HTML page containing one of these ActiveX in order to execute code on victim's computer.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides network vulnerability alerts. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.