ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Overview

ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as “safe for scripting,” which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as “safe for initialization,” which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.

---

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

---

Solution

Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.

Update and recompile ActiveX controls

Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the “Securing Your Web Browser” document.

---

Vendor Information

456745

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Adobe __ Affected

Updated: July 30, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

• <http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html&gt;
• <http://www.adobe.com/support/security/bulletins/apsb09-10.html&gt;

Addendum

Please see the Adobe PSIRT blog entry: Impact of Microsoft ATL vulnerability on Adobe Products. Adobe has relased APSB09-11 for Shockwave Player and APSB09-10 for Flash Player.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23456745 Feedback>).

Aurigma Inc. Affected

Notified: July 28, 2009 Updated: July 29, 2009

Statement Date: July 29, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc. __ Affected

Notified: July 28, 2009 Updated: July 29, 2009

Statement Date: July 29, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Cisco Systems has published Cisco Security Advisory cisco-sa-20090728-activex in response to this issue. Users of the affected product(s) should review this advisory and apply the mitigations it describes.

F5 Networks, Inc. __ Affected

Notified: July 28, 2009 Updated: July 29, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

FirePass Controls for 5.5,5.5.1,5.5.2, 6.02, and 6.03; SAM 8.0 Controls are affected.

Microsoft Corporation __ Affected

Updated: July 28, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

• <http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx&gt;
• <http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx&gt;

Addendum

Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.

Update and recompile ActiveX controls

Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23456745 Feedback>).

OSISoft __ Affected

Updated: August 04, 2009

Statement Date: August 03, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

• <http://techsupport.osisoft.com/Bulletins/4/7b5d4995-a2ae-4c14-b375-f4ad059d3d2c.htm&gt;

Addendum

Please see the OSISoft Security Alert for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23456745 Feedback>).

SoftArtisans, Inc __ Affected

Notified: July 28, 2009 Updated: February 24, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see SoftArtisans support document 1331.

Vendor References

• <http://support.softartisans.com/kbview.aspx?ID=1331&gt;

SonicWall __ Affected

Notified: July 28, 2009 Updated: October 28, 2009

Statement Date: July 30, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The XTSAC.cab file, which is used in the SSL-VPN 200, 2000 and 4000 products for IE browser-based RDP connections is affected by the issue.

SonicWALL has addressed VU#456745 for the following products at the specified firmware version:

SSL-VPN 200: 3.5.0.2-7sv (posted 9/16/2009)
SSL-VPN 2000/4000: 3.5.0.11-29sv (posted 9/16/2009)

Sun Microsystems, Inc. __ Affected

Updated: August 05, 2009

Statement Date: August 05, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

• <http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1&gt;

Addendum

Please see Sun Alert 264648 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23456745 Feedback>).

Apple Inc. __ Not Affected

Notified: July 28, 2009 Updated: July 31, 2009

Status

Not Affected

Vendor Statement

No Apple products are affected by the ATL issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Not Affected

Notified: July 28, 2009 Updated: July 29, 2009

Statement Date: July 28, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

LogicNP __ Not Affected

Notified: July 28, 2009 Updated: July 30, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

This issue does not affect us since our ActiveX controls are based on MFC and do not use ATL templates.

VanDyke Software __ Not Affected

Notified: July 28, 2009 Updated: August 04, 2009

Statement Date: July 31, 2009

Status

Not Affected

Vendor Statement

Our development team has confirmed that VU#456745 does not affect any of our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Alcatel-Lucent Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

America Online, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Attachmate Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Axis Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

BT Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Business Objects Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Callisto Corporation Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Associates eTrust Security Management Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Emergency Response Team Brazil Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Corel Corporation Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

E-Book Systems Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ESET, LLC. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Electronic Arts Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GOVCERT-NL Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GameTap-Turner Broadcasting subsidiary Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gracenote Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Husdawg Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Iconics, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IncrediMail Ltd. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infotriever, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

InterActual Technologies, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intuit, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Kodak Easy Share Gallery Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

LizardTech, Inc Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lotus Software Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Media Technology Group Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Motive Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Move Networks, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Namzak Labs Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PNI Digital Media Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Panda Software Ltd. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Radiant Systems Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

RealNetworks, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Research in Motion (RIM) Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SAP Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ScriptLogic Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Siemens Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Simba Technologies Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SupportSoft, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SwiftView Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Trend Micro Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unigraphics Solutions Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View22 Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

WeOnlyDo! Software Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

WinZip Computing, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Worldspan Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Xerox Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Yahoo, Inc. Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eBay Unknown

Notified: July 28, 2009 Updated: July 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 70 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	0	AV:–/AC:–/Au:–/C:–/I:–/A:–
Temporal	0	E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)
Environmental	0	CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)

References

• <http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx&gt;
• <http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx&gt;
• <http://www.microsoft.com/security/atl.aspx&gt;
• <http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx&gt;
• <http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx&gt;
• <http://blogs.technet.com/ecostrat/archive/2009/07/27/threat-complexity-requires-new-levels-of-collaboration.aspx&gt;
• <http://www.microsoft.com/technet/security/advisory/973882.mspx&gt;
• <http://msdn.microsoft.com/en-us/library/ms680103(VS.85).aspx&gt;
• <http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx&gt;
• <http://msdn.microsoft.com/en-us/library/t9adwcde(VS.80).aspx&gt;
• <http://support.microsoft.com/kb/168371&gt;
• <http://support.microsoft.com/kb/240797&gt;
• <http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html&gt;
• <http://www.adobe.com/support/security/advisories/apsa09-04.html&gt;
• <http://www.adobe.com/support/security/bulletins/apsb09-10.html&gt;
• <http://www.adobe.com/support/security/bulletins/apsb09-11.html&gt;
• <http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html&gt;
• <http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx&gt;
• <http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx&gt;
• <http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx&gt;
• <http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx&gt;
• <http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx&gt;
• <http://support.softartisans.com/kbview.aspx?ID=1331&gt;

Acknowledgements

Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2009-0901, CVE-2009-2493, CVE-2009-2495
Severity Metric:	47.08 Date Public: