Added: 08/24/2009
CVE: CVE-2009-2494
BID: 35982
OSVDB: 56910
Microsoft Visual Studio is a product to assist with software development in the Windows operating system. Visual Studio uses Microsoft Active Template Library (ATL), which is a set of template-based C++ classes, to help simplify the programming of Component Object Model (COM) objects.
Microsoft ATL allows command execution due to an erroneous free operation after a program reads a variant from a stream and deletes this variant.
Apply the patch referenced in Microsoft Security Bulletin 09-037.
<http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx>
Exploit works on Windows XP SP3 and requires a user to open the exploit page in Internet Explorer 6.
On the target machine, “Initialize and Script ActiveX controls not marked as safe” must be enabled in the Security Settings for Internet Explorer.
Windows XP