Visual Studio Active Template Library uninitialized object

Added: 07/30/2009
CVE: CVE-2009-0901
BID: 35832
OSVDB: 56696

Background

Microsoft Visual Studio is a product to assist with software development in the Windows operating system. Visual Studio uses Microsoft Active Template Library (ATL), which is a set of template-based C++ classes, to help simplify the programming of Component Object Model (COM) objects.

Problem

A flaw in the way the Microsoft Active Template Library (ATL) handles certain ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized, leading to command execution when a user opens a specially crafted web page.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 09-035.

References

<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx&gt;

Limitations

Exploit works on Microsoft Visual Studio 2005 and requires a user to load the exploit page in Internet Explorer 6 or 7. In order for the exploit to succeed, Internet Explorer must have the option “Initialize and script ActiveX controls not marked as safe” set to “Enable”, because the affected ActiveX control is marked not safe. Also note that, due to the nature of the vulnerability, the exploit only works when the exploit server is specified as an IP address rather than a host/domain name.

Platforms

Windows XP