{"id": "SECURITYVULNS:DOC:23226", "bulletinFamily": "software", "title": "[security bulletin] HPSBMA02488 SSRT100013 rev.1 - HP ProLiant Support Pack 8.30 for Windows, Remote Code Execution, Information Disclosure", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c01997644\r\nVersion: 1\r\n\r\nHPSBMA02488 SSRT100013 rev.1 - HP ProLiant Support Pack 8.30 for Windows, Remote Code Execution,\r\nInformation Disclosure\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2010-02-10\r\nLast Updated: 2010-02-10\r\n\r\nPotential Security Impact: Remote code execution, information disclosure\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP ProLiant Support Pack 8.30 for\r\nWindows. The vulnerabilities could be exploited remotely to execute code and to gain unauthorized\r\naccess to information.\r\n\r\nReferences: CVE-2009-0901, CVE-2009-2493, 2009-2495, MS09-035\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP ProLiant Support Pack 8.30 for Windows.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2009-0901 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2009-2493 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2009-2495 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nThe HP ProLiant Support Pack 8.30 for Windows installs versions of Microsoft Visual C++ that require\r\nsecurity updates.\r\n\r\nTo resolve the vulnerabilities:\r\nAfter installing HP ProLiant Support Pack 8.30 for Windows install the updates recommended by\r\nMicrosoft in KB973923 and KB973924.\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nNone\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 10 February 2010 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running\r\nHP software products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted\r\nusing PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate\r\nsections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP\r\nis continually reviewing and enhancing the security features of software products to provide customers\r\nwith current secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the\r\naffected HP products the important security information contained in this Bulletin. HP recommends that\r\nall users determine the applicability of this information to their individual situations and take\r\nappropriate action. HP does not warrant that this information is necessarily accurate or complete for\r\nall user situations and, consequently, HP will not be responsible for any damages resulting from user's\r\nuse or disregard of the information provided in this Bulletin. To the extent permitted by law, HP\r\ndisclaims all warranties, either express or implied, including the warranties of merchantability and\r\nfitness for a particular purpose, title and non-infringement."\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained\r\nherein. The information provided is provided "as is" without warranty of any kind. To the extent\r\npermitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost profits;damages relating to\r\nthe procurement of substitute products or services; or damages for loss of data, or software\r\nrestoration. The information in this document is subject to change without notice. Hewlett-Packard\r\nCompany and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product and company names mentioned herein may\r\nbe trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAktzCOwACgkQ4B86/C0qfVk+PwCghIKI6lieAia+RQQhw89LmnZ9\r\nuh0An35CItncXdnhTUcoSsnTaaLcHfcP\r\n=7ig3\r\n-----END PGP SIGNATURE-----", "published": "2010-02-12T00:00:00", "modified": "2010-02-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23226", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:33", "edition": 1, "viewCount": 10, "enchantments": {"score": {"value": 7.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "cert", "idList": ["VU:456745"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2008-035", "CPAI-2009-121", "CPAI-2009-179", "CPAI-2009-198", "CPAI-2009-410"]}, {"type": "checkpoint_security", "idList": ["CPS:SK42545"]}, {"type": "cve", "idList": ["CVE-2009-0901", "CVE-2009-2493", "CVE-2009-2495"]}, {"type": "f5", "idList": ["SOL10441"]}, {"type": "freebsd", "idList": ["C97D7A37-2233-11DF-96DD-001B2134EF46"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ADOBE-FLASH-APSB09-10-CVE-2009-0901/", "MSF:ILITIES/ADOBE-FLASH-APSB09-10-CVE-2009-2493/", "MSF:ILITIES/ADOBE-FLASH-APSB09-10-CVE-2009-2495/"]}, {"type": "mskb", "idList": ["KB969706", "KB973525", "KB973908"]}, {"type": "nessus", "idList": ["5339.PRM", "FLASH_PLAYER_APSB09_10.NASL", "FREEBSD_PKG_C97D7A37223311DF96DD001B2134EF46.NASL", "OPENOFFICE_32.NASL", "SHOCKWAVE_PLAYER_APSB09_11.NASL", "SMB_NT_MS09-035.NASL", "SMB_NT_MS09-037.NASL", "SMB_NT_MS09-055.NASL", "SMB_NT_MS09-060.NASL", "SMB_NT_MS09-072.NASL", "SUSE9_12564.NASL", "SUSE_11_0_FLASH-PLAYER-090731.NASL", "SUSE_11_1_FLASH-PLAYER-090731.NASL", "SUSE_11_FLASH-PLAYER-090731.NASL", "SUSE_11_JAVA-1_6_0-IBM-091102.NASL", "SUSE_FLASH-PLAYER-6386.NASL", "SUSE_FLASH-PLAYER-6387.NASL", "SUSE_JAVA-1_5_0-IBM-6740.NASL", "SUSE_JAVA-1_5_0-IBM-6741.NASL", "WIN_SERVER_2008_NTLM_PCI.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:101100", "OPENVAS:1361412562310101100", "OPENVAS:136141256231066230", "OPENVAS:136141256231067053", "OPENVAS:1361412562310800727", "OPENVAS:1361412562310900809", "OPENVAS:1361412562310900880", "OPENVAS:1361412562310901040", "OPENVAS:66230", "OPENVAS:67053", "OPENVAS:800727", "OPENVAS:900809", "OPENVAS:900880", "OPENVAS:901040"]}, {"type": "saint", "idList": ["SAINT:76621B577D4A780FDF09854B31FC808F", "SAINT:8FBDF77614BE31A34B6C4E1E6703BBDA", "SAINT:98D7C8B136A847C4C1DF04E6AD6474E2", "SAINT:E5E9F70E1B7AAA88D827C4D32190B250"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22231", "SECURITYVULNS:DOC:22297", "SECURITYVULNS:DOC:22350", "SECURITYVULNS:DOC:22351", "SECURITYVULNS:DOC:22612", "SECURITYVULNS:DOC:22613", "SECURITYVULNS:DOC:22881", "SECURITYVULNS:VULN:10106", "SECURITYVULNS:VULN:10453"]}, {"type": "seebug", "idList": ["SSV:11913", "SSV:11914", "SSV:11915"]}, {"type": "suse", "idList": ["SUSE-SA:2009:041", "SUSE-SA:2009:053", "SUSE-SA:2010:002"]}, {"type": "threatpost", "idList": ["THREATPOST:DA06EE238F79D261C0FCB61902F3CDBD"]}]}, "backreferences": {"references": [{"type": "cert", "idList": ["VU:456745"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2009-198"]}, {"type": "checkpoint_security", "idList": ["CPS:SK42545"]}, {"type": "cve", "idList": ["CVE-2009-0901"]}, {"type": "f5", "idList": ["SOL10441"]}, {"type": "freebsd", "idList": ["C97D7A37-2233-11DF-96DD-001B2134EF46"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ADOBE-FLASH-APSB09-10-CVE-2009-2493/"]}, {"type": "mskb", "idList": ["KB969706", "KB973525"]}, {"type": "nessus", "idList": ["FLASH_PLAYER_APSB09_10.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:900809"]}, {"type": "saint", "idList": ["SAINT:98D7C8B136A847C4C1DF04E6AD6474E2"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10616"]}, {"type": "seebug", "idList": ["SSV:11915"]}, {"type": "suse", "idList": ["SUSE-SA:2009:041"]}, {"type": "threatpost", "idList": ["THREATPOST:DA06EE238F79D261C0FCB61902F3CDBD"]}]}, "exploitation": null, "vulnersScore": 7.8}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"nessus": [{"lastseen": "2021-08-19T13:06:17", "description": "One or more ActiveX controls included in Microsoft Outlook or Visio and installed on the remote Windows host was compiled with a version of Microsoft Active Template Library (ATL) that is affected by potentially several vulnerabilities :\n\n - An issue in the ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized and, by supplying a corrupt stream, to execute arbitrary code.\n (CVE-2009-0901)\n\n - Unsafe usage of 'OleLoadFromStream' could allow instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. (CVE-2009-2493)\n\n - An attacker who is able to run a malicious component or control built using Visual Studio ATL can, by manipulating a string with no terminating NULL byte, read extra data beyond the end of the string and thus disclose information in memory. (CVE-2009-2495)", "cvss3": {"score": null, "vector": null}, "published": "2009-10-14T00:00:00", "type": "nessus", "title": "MS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-2493", "CVE-2009-2495"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS09-060.NASL", "href": "https://www.tenable.com/plugins/nessus/42116", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42116);\n script_version(\"1.30\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-2493\", \"CVE-2009-2495\");\n script_bugtraq_id(35828, 35830, 35832);\n script_xref(name:\"MSFT\", value:\"MS09-060\");\n script_xref(name:\"MSKB\", value:\"972363\");\n script_xref(name:\"MSKB\", value:\"973709\");\n script_xref(name:\"CERT\", value:\"456745\");\n\n script_name(english:\"MS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)\");\n script_summary(english:\"Checks version of various files\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nOffice ActiveX controls.\");\n script_set_attribute(attribute:\"description\", value:\n\"One or more ActiveX controls included in Microsoft Outlook or Visio\nand installed on the remote Windows host was compiled with a version\nof Microsoft Active Template Library (ATL) that is affected by\npotentially several vulnerabilities :\n\n - An issue in the ATL headers could allow an attacker to\n force VariantClear to be called on a VARIANT that has\n not been correctly initialized and, by supplying a\n corrupt stream, to execute arbitrary code.\n (CVE-2009-0901)\n\n - Unsafe usage of 'OleLoadFromStream' could allow\n instantiation of arbitrary objects which can bypass\n related security policy, such as kill bits within\n Internet Explorer. (CVE-2009-2493)\n\n - An attacker who is able to run a malicious component or\n control built using Visual Studio ATL can, by\n manipulating a string with no terminating NULL byte,\n read extra data beyond the end of the string and thus\n disclose information in memory. (CVE-2009-2495)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Outlook 2002,\n2003, and 2007 as well as Visio Viewer 2007.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(94, 200, 264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"audit.inc\");\n\ninclude(\"misc_func.inc\");\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS09-060';\nkbs = make_list(\"972363\", \"973709\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(1, \"KB 'SMB/Registry/Enumerated' not set to TRUE.\");\n\n\n# Determine the install path for Vision Viewer 2007.\nvisio_viewer_path = NULL;\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\nhcf_init = TRUE;\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, \"IPC$\");\n}\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n audit(AUDIT_REG_FAIL);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Office\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"InstallRoot\");\n if (value) visio_viewer_path = value[1];\n\n RegCloseKey(handle:key_h);\n}\nif (isnull(visio_viewer_path))\n{\n key = \"SOFTWARE\\Microsoft\\Office\\12.0\\Common\\InstallRoot\";\n key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n if (!isnull(key_h))\n {\n value = RegQueryValue(handle:key_h, item:\"Path\");\n if (value) visio_viewer_path = value[1];\n\n RegCloseKey(handle:key_h);\n }\n}\nRegCloseKey(handle:hklm);\nNetUseDel(close:FALSE);\n\n\nvuln = 0;\n\nshare = '';\nlastshare = '';\naccessibleshare = FALSE;\n#Office\noutlook_paths = get_kb_list(\"SMB/Office/Outlook/*/Path\");\nif (!isnull(outlook_paths))\n{\n foreach install (keys(outlook_paths))\n {\n outlook_path = outlook_paths[install];\n share = hotfix_path2share(path:outlook_path);\n\n if (share != lastshare || !accessibleshare)\n {\n lastshare = share;\n if (is_accessible_share(share:share))\n {\n accessibleshare = TRUE;\n }\n else accessibleshare = FALSE;\n }\n if (accessibleshare)\n {\n # Outlook 2007\n if (\"12.0\" >< install)\n {\n if (hotfix_check_fversion(path:outlook_path, file:\"Outlmime.dll\", version:\"12.0.6514.5000\", min_version:\"12.0.0.0\", bulletin:bulletin, kb:'972363') == HCF_OLDER) vuln++;\n }\n # Outlook 2003\n else if (\"11.0\" >< install)\n {\n if (hotfix_check_fversion(path:outlook_path, file:\"Outllib.dll\", version:\"11.0.8313.0\", min_version:\"11.0.0.0\", bulletin:bulletin, kb:'973705') == HCF_OLDER) vuln++;\n }\n # Outlook 2002\n else if (\"10.0\" >< install)\n {\n if (hotfix_check_fversion(path:outlook_path, file:\"Outllib.dll\", version:\"10.0.6856.0\", min_version:\"10.0.0.0\", bulletin:bulletin, kb:'973702') == HCF_OLDER) vuln++;\n }\n }\n }\n}\n\n\n# Visio\n#\n# - Visio Viewer 2007.\nif (visio_viewer_path)\n{\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:visio_viewer_path);\n if (!is_accessible_share(share:share)) exit(1, \"Can't access '\"+share+\"' share.\");\n\n if (\n hotfix_check_fversion(path:visio_viewer_path, file:\"Vpreview.exe\", version:\"12.0.6513.5000\", min_version:\"12.0.0.0\", bulletin:bulletin, kb:'973709') == HCF_OLDER ||\n hotfix_check_fversion(path:visio_viewer_path, file:\"Vviewdwg.dll\", version:\"12.0.6500.5000\", min_version:\"12.0.0.0\", bulletin:bulletin, kb:'973709') == HCF_OLDER ||\n hotfix_check_fversion(path:visio_viewer_path, file:\"vviewer.dll\", version:\"12.0.6513.5000\", min_version:\"12.0.0.0\", bulletin:bulletin, kb:'973709') == HCF_OLDER\n ) vuln++;\n}\n# - nb: we don't check for Visio Viewer 2002 and 2003 because the\n# vulnerabilities are mitigated by applying MS09-034, and we\n# do have a check for that.\n\n\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/MS09-060\", value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:07:22", "description": "The remote Windows host contains a version of Adobe's Shockwave Player that is earlier than 11.5.0.601. Such versions were compiled against a version of Microsoft's Active Template Library (ATL) that contained a vulnerability. If an attacker can trick a user of the affected software into opening such a file, this issue could be leveraged to execute arbitrary code with the privileges of that user.", "cvss3": {"score": null, "vector": null}, "published": "2009-07-29T00:00:00", "type": "nessus", "title": "Shockwave Player < 11.5.0.601 Multiple Vulnerabilities (APSB09-11)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-2495", "CVE-2009-2493"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:adobe:shockwave_player"], "id": "SHOCKWAVE_PLAYER_APSB09_11.NASL", "href": "https://www.tenable.com/plugins/nessus/40421", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(40421);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id('CVE-2009-0901', 'CVE-2009-2495', 'CVE-2009-2493');\n script_bugtraq_id(35845);\n\n script_name(english:'Shockwave Player < 11.5.0.601 Multiple Vulnerabilities (APSB09-11)');\n script_summary(english:'Checks version of Shockwave Player');\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains an Internet Explorer plugin which\nuses a vulnerable version of the Microsoft Active Template Library\n(ATL).\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of Adobe's Shockwave Player\nthat is earlier than 11.5.0.601. Such versions were compiled against a\nversion of Microsoft's Active Template Library (ATL) that contained a\nvulnerability. If an attacker can trick a user of the affected\nsoftware into opening such a file, this issue could be leveraged to\nexecute arbitrary code with the privileges of that user.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/bulletins/apsb09-11.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Uninstall the Internet Explorer version of Shockwave Player version\n11.5.0.600 and earlier, restart the system, and then install version\n11.5.0.601 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(94, 200, 264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies('smb_hotfixes.nasl');\n script_require_keys('SMB/Registry/Enumerated');\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('global_settings.inc');\ninclude('smb_func.inc');\ninclude(\"audit.inc\");\n\n\n# Connect to the appropriate share.\nif (!get_kb_item('SMB/Registry/Enumerated')) exit(0, 'SMB/Registry/Enumerated KB item is missing.');\nname = kb_smb_name();\nport = kb_smb_transport();\n\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:'IPC$');\nif (rc != 1)\n{\n NetUseDel();\n exit(1, 'Can not connect to IPC$ share.');\n}\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(1, 'Can not connect to remote registry.');\n}\n\n# Check whether it's installed.\nvariants = make_array();\n\n# - check for the ActiveX control.\nclsids = make_list(\n '{4DB2E429-B905-479A-9EFF-F7CBD9FD52DE}',\n '{233C1507-6A77-46A4-9443-F871F945D258}',\n '{166B1BCA-3F9C-11CF-8075-444553540000}' # used in versions <= 10.x.\n);\nforeach clsid (clsids)\n{\n key = 'SOFTWARE\\\\Classes\\\\CLSID\\\\' + clsid + '\\\\InprocServer32';\n key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n if (!isnull(key_h))\n {\n item = RegQueryValue(handle:key_h, item:NULL);\n if (!isnull(item))\n {\n file = item[1];\n variants[file] = 'ActiveX';\n }\n RegCloseKey(handle:key_h);\n }\n}\n\nRegCloseKey(handle:hklm);\nif (max_index(keys(variants)) == 0)\n{\n NetUseDel();\n exit(0, 'Shockwave Player for Internet Explorer is not installed.');\n}\n\n# Determine the version of each instance found.\nfiles = make_array();\ninfo = '';\n\nforeach file (keys(variants))\n{\n # Don't report again if the name differs only in its case.\n if (files[tolower(file)]++) continue;\n\n variant = variants[file];\n\n share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:'\\\\1$', string:file);\n file2 = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\\\1', string:file);\n NetUseDel(close:FALSE);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(1, 'Can not connect to '+share+' share.');\n }\n\n fh = CreateFile(\n file:file2,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n\n if (\n isnull(ver) ||\n (ver[0] == 0 && ver[1] == 0 && ver[2] == 0 && ver[3] == 0)\n )\n {\n NetUseDel();\n exit(1, \"Failed to get the file version from '\"+file+\"'.\");\n }\n\n if (\n ver[0] < 11 ||\n (\n ver[0] == 11 &&\n (\n ver[1] < 5 ||\n (ver[1] == 5 && ver[2] == 0 && ver[3] < 601)\n )\n )\n )\n {\n version = string(ver[0], '.', ver[1], '.', ver[2], '.', ver[3]);\n\n if (variant == 'ActiveX')\n {\n info += ' - ActiveX control (for Internet Explorer) :\\n';\n }\n\n info += ' ' + file + ', ' + version + '\\n';\n }\n }\n NetUseDel(close:FALSE);\n}\nNetUseDel();\n\n\nif (!info) exit(0, 'No vulnerable installs of Shockwave Player were found.');\n\nif (report_verbosity > 0)\n{\n # nb: each vulnerable instance adds 2 lines to 'info'.\n if (max_index(split(info)) > 2)\n shck = 's';\n else shck = '';\n\n report = string(\n '\\n',\n 'Nessus has identified the following vulnerable instance', shck, ' of Shockwave\\n',\n 'Player for Internet Explorer installed on the remote host :\\n',\n '\\n',\n info\n );\n security_hole(port:get_kb_item('SMB/transport'), extra:report);\n}\nelse security_hole(get_kb_item('SMB/transport'));\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:07:13", "description": "The remote Windows host contains a version of the Microsoft Active Template Library (ATL), included as part of Visual Studio or Visual C++, that is affected by multiple vulnerabilities :\n\n - On systems with components and controls installed that were built using Visual Studio ATL, an issue in the ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized and, by supplying a corrupt stream, to execute arbitrary code. (CVE-2009-0901)\n\n - On systems with components and controls installed that were built using Visual Studio ATL, unsafe usage of OleLoadFromStream could allow instantiation of arbitrary objects that can bypass related security policy, such as kill bits within Internet Explorer.\n (CVE-2009-2493)\n\n - On systems with components and controls installed that were built using Visual Studio ATL, an issue in the ATL headers could allow a string to be read without a terminating NULL character, which could lead to disclosure of information in memory. (CVE-2009-2495)", "cvss3": {"score": null, "vector": null}, "published": "2009-07-30T00:00:00", "type": "nessus", "title": "MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-2493", "CVE-2009-2495"], "modified": "2020-08-05T00:00:00", "cpe": ["cpe:/a:microsoft:visual_studio", "cpe:/a:microsoft:visual_studio_.net", "cpe:/a:microsoft:visual_c%2b%2b"], "id": "SMB_NT_MS09-035.NASL", "href": "https://www.tenable.com/plugins/nessus/40435", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(40435);\n script_version(\"1.33\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-2493\", \"CVE-2009-2495\");\n script_bugtraq_id(35828, 35830, 35832);\n script_xref(name:\"MSFT\", value:\"MS09-035\");\n script_xref(name:\"MSKB\", value:\"973544\");\n script_xref(name:\"MSKB\", value:\"973551\");\n script_xref(name:\"MSKB\", value:\"973552\");\n script_xref(name:\"MSKB\", value:\"973675\");\n script_xref(name:\"IAVB\", value:\"2009-B-0033-S\");\n script_xref(name:\"CERT\", value:\"456745\");\n\n script_name(english:\"MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)\");\n script_summary(english:\"Checks for Visual Studio / Visual C++ patches\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nActive Template Library.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of the Microsoft Active\nTemplate Library (ATL), included as part of Visual Studio or Visual\nC++, that is affected by multiple vulnerabilities :\n\n - On systems with components and controls installed that\n were built using Visual Studio ATL, an issue in the ATL\n headers could allow an attacker to force VariantClear\n to be called on a VARIANT that has not been correctly\n initialized and, by supplying a corrupt stream, to\n execute arbitrary code. (CVE-2009-0901)\n\n - On systems with components and controls installed that\n were built using Visual Studio ATL, unsafe usage of\n OleLoadFromStream could allow instantiation of\n arbitrary objects that can bypass related security\n policy, such as kill bits within Internet Explorer.\n (CVE-2009-2493)\n\n - On systems with components and controls installed that\n were built using Visual Studio ATL, an issue in the ATL\n headers could allow a string to be read without a\n terminating NULL character, which could lead to\n disclosure of information in memory. (CVE-2009-2495)\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-035\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nessus.org/u?c30acf1f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Visual Studio .NET 2003,\nVisual Studio 2005 and 2008, as well as Visual C++ 2005 and 2008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(94, 200, 264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio_.net\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_c++\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\nget_kb_item_or_exit(\"SMB/Registry/Uninstall/Enumerated\");\n\nbulletin = 'MS09-035';\nkbs = make_list(\"973544\", \"973551\", \"973552\", \"973675\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nif (!get_kb_item(\"SMB/WindowsVersion\")) exit(1, \"SMB/WindowsVersion KB item is missing.\");\n\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Can't get system root.\");\n\ncommonfiles = hotfix_get_commonfilesdir();\n\nMAX_RECURSE = 3;\n\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\nhcf_init = TRUE;\n\nfunction _list_dir(basedir, level, dir_pat, file_pat)\n{\n local_var contents, ret, subdirs, subsub;\n\n # nb: limit how deep we'll recurse.\n if (level > MAX_RECURSE) return NULL;\n\n subdirs = NULL;\n if (isnull(dir_pat)) dir_pat = \"\";\n ret = FindFirstFile(pattern:basedir + \"\\*\" + dir_pat + \"*\");\n\n contents = make_list();\n while (!isnull(ret[1]))\n {\n if (file_pat && ereg(pattern:file_pat, string:ret[1], icase:TRUE))\n contents = make_list(contents, basedir+\"\\\"+ret[1]);\n\n subsub = NULL;\n if (\".\" != ret[1] && \"..\" != ret[1] && level <= MAX_RECURSE)\n subsub = _list_dir(basedir:basedir+\"\\\"+ret[1], level:level+1, file_pat:file_pat);\n if (!isnull(subsub))\n {\n if (isnull(subdirs)) subdirs = make_list(subsub);\n else subdirs = make_list(subdirs, subsub);\n }\n ret = FindNextFile(handle:ret);\n }\n\n if (isnull(subdirs)) return contents;\n else return make_list(contents, subdirs);\n}\n\n\n# Returns the file version as a string, either from the KB or by\n# calling GetFileVersion(). Assumes we're already connected to the\n# correct share.\nfunction get_file_version()\n{\n local_var fh, file, ver, version;\n\n if (isnull(_FCT_ANON_ARGS[0])) return NULL;\n\n file = _FCT_ANON_ARGS[0];\n version = get_kb_item(\"SMB/FileVersions\"+tolower(str_replace(string:file, find:\"\\\", replace:\"/\")));\n if (isnull(version))\n {\n fh = CreateFile(\n file:file,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n if (!isnull(ver))\n {\n version = string(ver[0], \".\", ver[1], \".\", ver[2], \".\", ver[3]);\n set_kb_item(\n name:\"SMB/FileVersions\"+tolower(str_replace(string:file, find:\"\\\", replace:\"/\")),\n value:version\n );\n }\n }\n }\n return version;\n}\n\n\n\n#######################################################################\n# Check VC++ Redistributables.\n#######################################################################\ninstalls = make_array();\n\n# - Check if the redistributable is known to be installed; otherwise,\n# we'll generate a false positive against Visual Studio.\nlist = get_kb_list(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName\");\nif (!isnull(list))\n{\n foreach name (keys(list))\n {\n prod = list[name];\n if (prod && ereg(pattern:\"^Microsoft Visual C\\+\\+ 200[58] Redistributable\", string:prod, icase:TRUE))\n {\n installs[tolower(prod)]++;\n }\n }\n}\n\nif (max_index(keys(installs)))\n{\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:rootfile);\n if (!is_accessible_share(share:share)) exit(1, \"Can't access '\"+share+\"' share.\");\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(1, \"Can't access '\"+share+\"' share.\");\n }\n\n fixed = make_array();\n probs = make_array();\n kbs = make_array();\n fixed_versions = make_array();\n fversions = make_array();\n prodfiles = make_array();\n\n winsxs = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\WinSxS\", string:rootfile);\n files = _list_dir(basedir:winsxs, level:0, dir_pat:\"microsoft.vc?0.atl\", file_pat:\"^atl(80|90)\\.dll$\");\n if (!isnull(files))\n {\n foreach file (files)\n {\n if (ereg(pattern:\"Microsoft\\.VC80\\.ATL\", string:file, icase:TRUE))\n {\n prod = \"Visual C++ 2005 SP1 Redistributable Package\";\n fixed_versions[prod] = \"8.0.50727.4053\";\n prodfiles[prod] = \"atl80.dll\";\n kbs[prod] = '973544';\n }\n else if (ereg(pattern:\"Microsoft\\.VC90\\.ATL.+_9\\.0\\.[0-2][0-9]+\", string:file, icase:TRUE))\n {\n prod = \"Visual C++ 2008 Redistributable Package\";\n fixed_versions[prod] = \"9.0.21022.218\";\n prodfiles[prod] = \"atl90.dll\";\n kbs[prod] = '973551';\n }\n else if (ereg(pattern:\"Microsoft\\.VC90\\.ATL.+_9\\.0\\.3[0-9]+\", string:file, icase:TRUE))\n {\n prod = \"Visual C++ 2008 SP1 Redistributable Package\";\n fixed_versions[prod] = \"9.0.30729.4148\";\n prodfiles[prod] = \"atl90.dll\";\n kbs[prod] = '973552';\n }\n else continue;\n\n installed = FALSE;\n foreach key (keys(installs))\n {\n if (\n (\" 2005 \" >< prod && \" 2005 \" >< key) ||\n (\n \" 2008 \" >< prod && \" 2008 \" >< key &&\n (\n ereg(pattern:\" 9\\.0\\.[0-2][0-9]+\", string:key) ||\n (\" SP1 \" >< prod && ereg(pattern:\" 9\\.0\\.3[0-9]+\", string:key))\n )\n )\n )\n {\n installed = TRUE;\n break;\n }\n }\n if (!installed) continue;\n\n if (isnull(fixed[prod]) || fixed[prod] == 0)\n {\n version = get_file_version(file);\n fversions[prod] = version;\n if (!isnull(version))\n {\n if (version == fixed_versions[prod])\n {\n fixed[prod]++;\n if (prod == \"Visual C++ 2008 SP1 Redistributable Package\")\n {\n fixed[\"Visual C++ 2008 Redistributable Package\"]++;\n probs[prod] = 0;\n }\n continue;\n }\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fix = split(fixed_versions[prod], sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n # Flag it if it's older or flag the fix if it's fixed.\n for (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n fixed[prod] = 0;\n probs[prod]++;\n break;\n }\n else if (ver[i] > fix[i])\n {\n fixed[prod]++;\n probs[prod] = 0;\n if (prod == \"Visual C++ 2008 SP1 Redistributable Package\")\n {\n fixed[\"Visual C++ 2008 Redistributable Package\"]++;\n probs[prod] = 0;\n }\n break;\n }\n }\n }\n }\n }\n NetUseDel(close:FALSE);\n\n # Report and exit if there's a problem.\n info = \"\";\n s = 0;\n foreach prod (keys(probs))\n {\n if (!fixed[prod]) s++;\n }\n if (s)\n {\n set_kb_item(name:'SMB/Missing/MS09-035', value:TRUE);\n\n if (s > 1) s = 's have';\n else s = ' has';\n info =\n '\\n The following Visual C++ Redistributable Package' + s + ' not' +\n '\\n been patched : \\n';\n hotfix_add_report(info);\n foreach prod (keys(probs))\n {\n if (fixed[prod]) continue;\n\n info =\n '\\n Product : ' + prod +\n '\\n File : ' + prodfiles[prod] +\n '\\n Installed version : ' + fversions[prod] +\n '\\n Fixed version : ' + fixed_versions[prod] + '\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kbs[prod]);\n }\n hotfix_security_hole();\n exit(0);\n }\n}\n\n\n\n#######################################################################\n# Check Visual Studio installs.\n#######################################################################\n# - identify VCROOT for each install.\ninstalls = make_array();\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to IPC$ share.\");\n}\n\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(1, \"Can't connect to remote registry.\");\n}\n\nkey = \"SOFTWARE\\Microsoft\\VisualStudio\";\nsubkeys = get_registry_subkeys(handle:hklm, key:key, wow:TRUE);\nif (!isnull(subkeys))\n{\n if (report_paranoia < 2) pat = '^(7\\\\.1|8\\\\.0|9\\\\.0)$';\n else pat = '^[0-9]\\\\.[0-9]+$';\n foreach node (keys(subkeys))\n {\n key = node;\n foreach subkey (subkeys[node])\n {\n if (ereg(pattern:pat, string:subkey))\n {\n key2 = key + '\\\\' + subkey;\n path = get_registry_value(handle:hklm, item:key2 + \"\\InstallDir\");\n if (!isnull(path))\n {\n path = ereg_replace(pattern:'^\"(.+)\"$', replace:\"\\1\", string:path);\n vcroot = ereg_replace(pattern:\"^(.+)\\\\Common7\\\\IDE\\\\$\", replace:\"\\1\", string:path, icase:TRUE);\n if (vcroot >< path) installs[subkey] = vcroot;\n }\n }\n }\n }\n}\nRegCloseKey(handle:hklm);\nNetUseDel(close:FALSE);\n\n# - locate possibly-affected files.\natl_files = make_list();\n\nforeach ver (keys(installs))\n{\n if (ver =~ \"^[89]\\.\")\n {\n vcroot = installs[ver];\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:vcroot);\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(1, \"Can't access '\"+share+\"' share.\");\n }\n\n path = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\", string:vcroot);\n files = _list_dir(basedir:path+\"\\VC\\redist\", level:0, file_pat:\"^atl(80|90)\\.dll$\");\n if (!isnull(files))\n {\n foreach file (files)\n {\n atl_files = make_list(atl_files, (share-'$')+':'+file);\n }\n }\n }\n else\n {\n if (report_paranoia < 2) pat = \"^atl(71|80|90)\\.dll$\";\n else pat = \"^atl[0-9][0-9]\\.dll$\";\n\n basedirs = make_list(\n rootfile+\"\\System32\",\n commonfiles+\"\\Microsoft Shared\\Help\",\n commonfiles+\"\\Microsoft Shared\\VSA\"\n );\n\n foreach basedir (basedirs)\n {\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:basedir);\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(1, \"Can't access '\"+share+\"' share.\");\n }\n basedir = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\", string:basedir);\n\n if (ereg(pattern:\"\\System32$\", string:basedir, icase:TRUE))\n files = _list_dir(basedir:basedir, level:MAX_RECURSE, file_pat:pat);\n else\n files = _list_dir(basedir:basedir, level:0, file_pat:pat);\n if (!isnull(files))\n {\n foreach file (files)\n {\n atl_files = make_list(atl_files, (share-'$')+':'+file);\n }\n }\n NetUseDel(close:FALSE);\n }\n }\n}\nNetUseDel(close:FALSE);\n\n\n# - check each file.\nvuln = 0;\n\nforeach atl (atl_files)\n{\n match = eregmatch(pattern:\"^(.+)\\\\(atl[0-9]+\\.dll)$\", string:atl, icase:TRUE);\n if (match)\n {\n path = match[1];\n file = match[2];\n\n if (\n hotfix_check_fversion(file:file, version:\"9.0.30729.4148\", min_version:\"9.0.30000.0\", path:path, bulletin:bulletin, kb:'973675') == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"9.0.21022.218\", min_version:\"9.0.0.0\", path:path, bulletin:bulletin, kb:'973674') == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"8.0.50727.4053\", min_version:\"8.0.0.0\", path:path, bulletin:bulletin, kb:'971090') == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"7.10.6101.0\", path:path, bulletin:bulletin, kb:'971089') == HCF_OLDER\n ) vuln++;\n }\n}\n\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/MS09-035\", value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n exit(0, \"The host is not affected\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-16T15:28:41", "description": "The remote Windows host contains a version of the Microsoft Active Template Library (ATL), included as part of Visual Studio or Visual C++, that is affected by multiple vulnerabilities :\n\n - A remote code execution issue affects the Microsoft Video ActiveX Control due to the a flaw in the function 'CComVariant::ReadFromStream' used in the ATL header, which fails to properly restrict untrusted data read from a stream. (CVE-2008-0015)\n\n - A remote code execution issue exists in the Microsoft Active Template Library due to an error in the 'Load' method of the 'IPersistStreamInit' interface, which could allow calls to 'memcpy' with untrusted data.\n (CVE-2008-0020)\n\n - An issue in the ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized and, by supplying a corrupt stream, to execute arbitrary code.\n (CVE-2009-0901)\n\n - Unsafe usage of 'OleLoadFromStream' could allow instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. (CVE-2009-2493)\n\n - A bug in the ATL header could allow reading a variant from a stream and leaving the variant type read with an invalid variant, which could be leveraged by an attacker to execute arbitrary code remotely.\n (CVE-2009-2494)", "cvss3": {"score": null, "vector": null}, "published": "2009-08-11T00:00:00", "type": "nessus", "title": "MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2008-0015", "CVE-2008-0020", "CVE-2009-0901", "CVE-2009-2493", "CVE-2009-2494"], "modified": "2020-08-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS09-037.NASL", "href": "https://www.tenable.com/plugins/nessus/40556", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(40556);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\n \"CVE-2008-0015\",\n \"CVE-2008-0020\",\n \"CVE-2009-0901\",\n \"CVE-2009-2493\",\n \"CVE-2009-2494\"\n );\n script_bugtraq_id(35558, 35585, 35828, 35832, 35982);\n script_xref(name:\"MSFT\", value:\"MS09-037\");\n script_xref(name:\"MSKB\", value:\"973354\");\n script_xref(name:\"MSKB\", value:\"973507\");\n script_xref(name:\"MSKB\", value:\"973540\");\n script_xref(name:\"MSKB\", value:\"973815\");\n script_xref(name:\"MSKB\", value:\"973869\");\n script_xref(name:\"IAVA\", value:\"2009-A-0067-S\");\n script_xref(name:\"CERT\", value:\"180513\");\n script_xref(name:\"CERT\", value:\"456745\");\n script_xref(name:\"EDB-ID\", value:\"9108\");\n script_xref(name:\"EDB-ID\", value:\"16615\");\n\n script_name(english:\"MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)\");\n script_summary(english:\"Checks version of various files\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nActive Template Library.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of the Microsoft Active\nTemplate Library (ATL), included as part of Visual Studio or Visual C++,\nthat is affected by multiple vulnerabilities :\n\n - A remote code execution issue affects the Microsoft\n Video ActiveX Control due to the a flaw in the function\n 'CComVariant::ReadFromStream' used in the ATL header,\n which fails to properly restrict untrusted data read\n from a stream. (CVE-2008-0015)\n\n - A remote code execution issue exists in the Microsoft\n Active Template Library due to an error in the 'Load'\n method of the 'IPersistStreamInit' interface, which\n could allow calls to 'memcpy' with untrusted data.\n (CVE-2008-0020)\n\n - An issue in the ATL headers could allow an attacker to\n force VariantClear to be called on a VARIANT that has\n not been correctly initialized and, by supplying a\n corrupt stream, to execute arbitrary code.\n (CVE-2009-0901)\n\n - Unsafe usage of 'OleLoadFromStream' could allow\n instantiation of arbitrary objects which can bypass\n related security policy, such as kill bits within\n Internet Explorer. (CVE-2009-2493)\n\n - A bug in the ATL header could allow reading a variant\n from a stream and leaving the variant type read with\n an invalid variant, which could be leveraged by an\n attacker to execute arbitrary code remotely.\n (CVE-2009-2494)\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-037\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nessus.org/u?1a80c846\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003,\nVista and 2008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94, 119, 264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/08/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS09-037';\nkbs = make_list(\"973354\", \"973507\", \"973540\", \"973815\", \"973869\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nprogramfiles = hotfix_get_programfilesdir();\nif (!programfiles) exit(1, \"Can't determine location of Program Files.\");\n\nif (tolower(programfiles[0]) != tolower(rootfile[0]))\n{\n share = hotfix_path2share(path:programfiles);\n if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n}\n\ncommonfiles = hotfix_get_officecommonfilesdir();\nif (!commonfiles) exit(1, \"Can't determine location of Common Files.\");\n\nvuln = 0;\n\n# Media Player.\nif (\n # Vista / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Wmp.dll\", version:\"11.0.6002.22172\", min_version:\"11.0.6002.20000\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Wmp.dll\", version:\"11.0.6002.18065\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Wmp.dll\", version:\"11.0.6001.7114\", min_version:\"11.0.6001.7100\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Wmp.dll\", version:\"11.0.6001.7007\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"Wmp.dll\", version:\"11.0.6000.6511\", min_version:\"11.0.6000.6500\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"Wmp.dll\", version:\"11.0.6000.6352\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n\n # Windows 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Wmp.dll\", version:\"10.0.0.4006\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n\n # Windows XP\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Wmp.dll\", version:\"9.0.0.4507\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x64\", file:\"Wmp.dll\", version:\"11.0.5721.5268\", min_version:\"11.0.0.0\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x64\", file:\"Wmp.dll\", version:\"10.0.0.4006\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Wmp.dll\", version:\"9.0.0.3271\", dir:\"\\System32\", bulletin:bulletin, kb:'973540') ||\n\n # Windows 2000\n hotfix_is_vulnerable(os:\"5.0\", file:\"Wmp.dll\", version:\"9.0.0.3364\", dir:\"\\System32\", bulletin:bulletin, kb:'973540')\n) vuln++;\n\n\n# ATL.\nif (\n # Vista / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Atl.dll\", version:\"3.5.2284.2\", dir:\"\\System32\", bulletin:bulletin, kb:'973507') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Atl.dll\", version:\"3.5.2284.2\", dir:\"\\System32\", bulletin:bulletin, kb:'973507') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"Atl.dll\", version:\"3.5.2284.2\", dir:\"\\System32\", bulletin:bulletin, kb:'973507') ||\n\n # Windows 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Atl.dll\", version:\"3.5.2284.2\", dir:\"\\System32\", bulletin:bulletin, kb:'973507') ||\n\n # Windows XP\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Atl.dll\", version:\"3.5.2284.2\", dir:\"\\System32\", bulletin:bulletin, kb:'973507') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Atl.dll\", version:\"3.5.2284.2\", dir:\"\\System32\", bulletin:bulletin, kb:'973507') ||\n\n # Windows 2000\n hotfix_is_vulnerable(os:\"5.0\", file:\"Atl.dll\", version:\"3.0.9793.0\", dir:\"\\System32\", bulletin:bulletin, kb:'973507')\n) vuln++;\n\n\n# MSWebDVD ActiveX Control.\nif (\n # Vista / Windows Server 2008\n #\n # empty\n\n # Windows 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, arch:\"x86\", file:\"Mswebdvd.dll\", version:\"6.5.3790.4564\", dir:\"\\System32\", bulletin:bulletin, kb:'973815') ||\n\n # Windows XP\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Mswebdvd.dll\", version:\"6.5.2600.5848\", dir:\"\\System32\", bulletin:bulletin, kb:'973815') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Mswebdvd.dll\", version:\"6.5.2600.3603\", dir:\"\\System32\", bulletin:bulletin, kb:'973815')\n\n # Windows 2000\n #\n # empty\n) vuln++;\n\n\n# Outlook Express.\nNetUseDel(close:FALSE);\nif (\n # Vista / Windows Server 2008\n #\n # empty\n\n # Windows 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Msoe.dll\", version:\"6.0.3790.4548\", dir:\"\\Outlook Express\", path:programfiles, bulletin:bulletin, kb:'973354') ||\n\n # Windows XP\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Msoe.dll\", version:\"6.0.2900.5843\", dir:\"\\Outlook Express\", path:programfiles, bulletin:bulletin, kb:'973354') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x64\", file:\"Msoe.dll\", version:\"6.0.3790.4548\", dir:\"\\Outlook Express\", path:programfiles, bulletin:bulletin, kb:'973354') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Msoe.dll\", version:\"6.0.2900.3598\", dir:\"\\Outlook Express\", path:programfiles, bulletin:bulletin, kb:'973354') ||\n\n # Windows 2000\n hotfix_is_vulnerable(os:\"5.0\", file:\"Msoe.dll\", version:\"6.0.2800.1983\", min_version:\"6.0.0.0\", dir:\"\\Outlook Express\", path:programfiles, bulletin:bulletin, kb:'973354') ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Msoe.dll\", version:\"5.50.5003.1000\", dir:\"\\Outlook Express\", path:programfiles, bulletin:bulletin, kb:'973354')\n) vuln++;\n\n\n# DHTML Editing Component ActiveX control/\nif (!commonfiles)\n{\n hotfix_check_fversion_end();\n exit(1, \"Can't determine location of Common Files.\");\n}\nif (typeof(commonfiles) != 'array')\n{\n temp = commonfiles;\n commonfiles = make_array('commonfiles', commonfiles);\n}\ncheckeddirs = make_array();\nNetUseDel(close:FALSE);\nforeach ver (keys(commonfiles))\n{\n dir = commonfiles[ver];\n if (checkeddirs[dir]) continue;\n checkeddirs[dir] = 1;\n if (\n # Vista / Windows Server 2008\n #\n # empty\n\n # Windows 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Dhtmled.ocx\", version:\"6.1.0.9247\", dir:\"\\Microsoft Shared\\Triedit\", path:dir, bulletin:bulletin, kb:'973869') ||\n\n # Windows XP\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Dhtmled.ocx\", version:\"6.1.0.9247\", dir:\"\\Microsoft Shared\\Triedit\", path:dir, bulletin:bulletin, kb:'973869') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Dhtmled.ocx\", version:\"6.1.0.9247\", dir:\"\\Microsoft Shared\\Triedit\", path:dir, bulletin:bulletin, kb:'973869') ||\n\n # Windows 2000\n hotfix_is_vulnerable(os:\"5.0\", file:\"Dhtmled.ocx\", version:\"6.1.0.9234\", dir:\"\\Microsoft Shared\\Triedit\", path:dir, bulletin:bulletin, kb:'973869')\n ) vuln++;\n}\n\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:28:33", "description": "Microsoft ActiveX controls that were compiled using the vulnerable Active Template Library described in Microsoft Security Bulletin MS09-035 have remote code execution vulnerabilities. A remote attacker could exploit them to execute arbitrary code by tricking a user into requesting a maliciously crafted web page.", "cvss3": {"score": null, "vector": null}, "published": "2009-10-13T00:00:00", "type": "nessus", "title": "MS09-055: Cumulative Security Update of ActiveX Kill Bits (973525)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2493"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS09-055.NASL", "href": "https://www.tenable.com/plugins/nessus/42111", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42111);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2009-2493\");\n script_bugtraq_id(35828);\n script_xref(name:\"MSFT\", value:\"MS09-055\");\n script_xref(name:\"MSKB\", value:\"973525\");\n script_xref(name:\"CERT\", value:\"456745\");\n\n script_name(english:\"MS09-055: Cumulative Security Update of ActiveX Kill Bits (973525)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has multiple ActiveX controls that are affected\nby multiple code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"Microsoft ActiveX controls that were compiled using the vulnerable\nActive Template Library described in Microsoft Security Bulletin\nMS09-035 have remote code execution vulnerabilities. A remote attacker\ncould exploit them to execute arbitrary code by tricking a user into\nrequesting a maliciously crafted web page.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-055\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003,\nVista and 2008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS09-055';\nkb = '973525';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (activex_init() != ACX_OK) exit(1, \"activex_init() failed.\");\n\n\n# Test each control.\ninfo = \"\";\nclsids = make_list(\n \"{0002E531-0000-0000-C000-000000000046}\", # msowc.dll\n \"{4C85388F-1500-11D1-A0DF-00C04FC9E20F}\", # msowc.dll\n \"{0002E532-0000-0000-C000-000000000046}\", # msowc.dll\n \"{0002E554-0000-0000-C000-000000000046}\", # owc10.dll\n \"{0002E55C-0000-0000-C000-000000000046}\", # owc11.dll\n \"{279D6C9A-652E-4833-BEFC-312CA8887857}\", # viewer.dll\n \"{B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331}\", # msmail.dll\n \"{C832BE8F-4B89-4579-A217-DB92E7A27915}\", # msmail.dll\n \"{A9A7297E-969C-43F1-A1EF-51EBEA36F850}\", # mailcomm.dll\n \"{DD8C2179-1B4A-4951-B432-5DE3D1507142}\", # msmail.dll\n \"{4F1E5B1A-2A80-42ca-8532-2D05CB959537}\", # MsnPUpld.dll\n \"{27A3D328-D206-4106-8D33-1AA39B13394B}\", # ReportBuilderAddin.dll\n \"{DB640C86-731C-484A-AAAF-750656C9187D}\", # ReportBuilderAddin.dll\n \"{15721a53-8448-4731-8bfc-ed11e128e444}\", # ReportBuilderAddin.dll\n \"{3267123E-530D-4E73-9DA7-79F01D86A89F}\" # ReportBuilderAddin.dll\n);\n\nforeach clsid (clsids)\n{\n # Make sure the control is installed\n file = activex_get_filename(clsid:clsid);\n if (isnull(file) || !file) continue;\n\n if (activex_get_killbit(clsid:clsid) == 0)\n {\n info += ' ' + clsid + '\\n';\n if (!thorough_tests) break;\n }\n}\nactivex_end();\n\n\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (max_index(split(info)) > 1) s = \"s\";\n else s = \"\";\n\n report = string(\n \"\\n\",\n \"The kill bit has not been set for the following control\", s, \" :\\n\",\n \"\\n\",\n info\n );\n\n if (!thorough_tests)\n {\n report = string(\n report,\n \"\\n\",\n \"Note that Nessus did not check whether there were other kill bits\\n\",\n \"that have not been set because the 'Perofrm thorough tests' setting\\n\",\n \"was not enabled when this scan was run.\\n\"\n );\n }\n hotfix_add_report(report, bulletin:bulletin, kb:kb);\n security_warning(port:kb_smb_transport(), extra:report);\n }\n else\n {\n hotfix_add_report(bulletin:bulletin, kb:kb);\n hotfix_security_warning();\n }\n\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-26T01:12:39", "description": "Specially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870).", "cvss3": {"score": null, "vector": null}, "published": "2009-10-06T00:00:00", "type": "nessus", "title": "openSUSE 10 Security Update : flash-player (flash-player-6387)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "cpe:/o:novell:opensuse:10.3"], "id": "SUSE_FLASH-PLAYER-6387.NASL", "href": "https://www.tenable.com/plugins/nessus/42001", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update flash-player-6387.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42001);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-1862\", \"CVE-2009-1863\", \"CVE-2009-1864\", \"CVE-2009-1865\", \"CVE-2009-1866\", \"CVE-2009-1867\", \"CVE-2009-1868\", \"CVE-2009-1869\", \"CVE-2009-1870\", \"CVE-2009-2395\", \"CVE-2009-2493\");\n\n script_name(english:\"openSUSE 10 Security Update : flash-player (flash-player-6387)\");\n script_summary(english:\"Check for the flash-player-6387 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash (SWF) files can cause a buffer overflow in\nflash-player. Attackers could potentially exploit that to execute\narbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395,\nCVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865,\nCVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869,\nCVE-2009-1870).\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(59, 89, 94, 119, 189, 200, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.3\", reference:\"flash-player-9.0.246.0-0.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-26T01:13:28", "description": "Specially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870).", "cvss3": {"score": null, "vector": null}, "published": "2009-08-05T00:00:00", "type": "nessus", "title": "openSUSE Security Update : flash-player (flash-player-1148)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "cpe:/o:novell:opensuse:11.0"], "id": "SUSE_11_0_FLASH-PLAYER-090731.NASL", "href": "https://www.tenable.com/plugins/nessus/40488", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update flash-player-1148.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40488);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-1862\", \"CVE-2009-1863\", \"CVE-2009-1864\", \"CVE-2009-1865\", \"CVE-2009-1866\", \"CVE-2009-1867\", \"CVE-2009-1868\", \"CVE-2009-1869\", \"CVE-2009-1870\", \"CVE-2009-2395\", \"CVE-2009-2493\");\n\n script_name(english:\"openSUSE Security Update : flash-player (flash-player-1148)\");\n script_summary(english:\"Check for the flash-player-1148 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash (SWF) files can cause a buffer overflow in\nflash-player. Attackers could potentially exploit that to execute\narbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395,\nCVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865,\nCVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869,\nCVE-2009-1870).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=524508\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(59, 89, 94, 119, 189, 200, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/08/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"flash-player-9.0.246.0-0.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-26T01:13:13", "description": "Specially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870).", "cvss3": {"score": null, "vector": null}, "published": "2009-08-05T00:00:00", "type": "nessus", "title": "openSUSE Security Update : flash-player (flash-player-1148)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "cpe:/o:novell:opensuse:11.1"], "id": "SUSE_11_1_FLASH-PLAYER-090731.NASL", "href": "https://www.tenable.com/plugins/nessus/40489", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update flash-player-1148.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40489);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-1862\", \"CVE-2009-1863\", \"CVE-2009-1864\", \"CVE-2009-1865\", \"CVE-2009-1866\", \"CVE-2009-1867\", \"CVE-2009-1868\", \"CVE-2009-1869\", \"CVE-2009-1870\", \"CVE-2009-2395\", \"CVE-2009-2493\");\n\n script_name(english:\"openSUSE Security Update : flash-player (flash-player-1148)\");\n script_summary(english:\"Check for the flash-player-1148 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash (SWF) files can cause a buffer overflow in\nflash-player. Attackers could potentially exploit that to execute\narbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395,\nCVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865,\nCVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869,\nCVE-2009-1870).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=524508\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(59, 89, 94, 119, 189, 200, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/08/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.1\", reference:\"flash-player-10.0.32.18-0.1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-26T01:12:38", "description": "Specially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 / CVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 / CVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 / CVE-2009-1870)", "cvss3": {"score": null, "vector": null}, "published": "2009-09-24T00:00:00", "type": "nessus", "title": "SuSE 11 Security Update : flash-player (SAT Patch Number 1149)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:flash-player", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_FLASH-PLAYER-090731.NASL", "href": "https://www.tenable.com/plugins/nessus/41392", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41392);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-1862\", \"CVE-2009-1863\", \"CVE-2009-1864\", \"CVE-2009-1865\", \"CVE-2009-1866\", \"CVE-2009-1867\", \"CVE-2009-1868\", \"CVE-2009-1869\", \"CVE-2009-1870\", \"CVE-2009-2395\", \"CVE-2009-2493\");\n\n script_name(english:\"SuSE 11 Security Update : flash-player (SAT Patch Number 1149)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash (SWF) files can cause a buffer overflow in\nflash-player. Attackers could potentially exploit that to execute\narbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 /\nCVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 /\nCVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 /\nCVE-2009-1870)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=524508\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0901.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1862.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1863.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1864.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1865.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1866.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1867.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1868.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1869.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1870.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2395.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2493.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 1149.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(59, 89, 94, 119, 189, 200, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (pl) audit(AUDIT_OS_NOT, \"SuSE 11.0\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"flash-player-10.0.32.18-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:19:40", "description": "The remote Windows host contains a version of Adobe Flash Player that is earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly affected by multiple vulnerabilities : \n\n - A memory corruption vulnerability that could potentially lead to code execution. (CVE-2009-1862) \n\n - A vulnerability in the Microsoft Active Template Library (ATL) which could allow an attacker who successfully exploits the vulnerability to take control of the affected system. (CVE-2009-0901, CVE-2009-2395, CVE-2009-2493) \n\n - A privilege escalation vulnerability that could potentially lead to code execution. (CVE-2009-1863)\n\n - A heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1864) \n\n - A NULL pointer vulnerability that could potentially lead to code execution. (CVE-2009-1865) \n\n - A stack overflow vulnerability that could potentially lead to code execution. (CVE-2009-1866) \n\n - A clickjacking vulnerability that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. (CVE-2009-1867 \n\n - A URL parsing heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1868)\n\n - An integer overflow vulnerability that could potentially lead to code execution. (CVE-2009-1869) \n\n - A local sandbox vulnerability that could potentially lead to information disclosure when SWFs are saved to the hard drive. CVE-2009-1870)", "cvss3": {"score": null, "vector": null}, "published": "2009-07-30T00:00:00", "type": "nessus", "title": "Flash Player < 9.0.246.0 / 10.0.32.18 Multiple Vulnerabilities (APSB09-10)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "FLASH_PLAYER_APSB09_10.NASL", "href": "https://www.tenable.com/plugins/nessus/40434", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40434);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2009-0901\",\n \"CVE-2009-1862\",\n \"CVE-2009-1863\",\n \"CVE-2009-1864\",\n \"CVE-2009-1865\",\n \"CVE-2009-1866\",\n \"CVE-2009-1867\",\n \"CVE-2009-1868\",\n \"CVE-2009-1869\",\n \"CVE-2009-1870\",\n \"CVE-2009-2493\"\n );\n script_bugtraq_id(\n 35759,\n 35832,\n 35846,\n 35900,\n 35901,\n 35902,\n 35903,\n 35904,\n 35905,\n 35906,\n 35907,\n 35908\n );\n\n script_name(english:\"Flash Player < 9.0.246.0 / 10.0.32.18 Multiple Vulnerabilities (APSB09-10)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a browser plugin that is affected by \nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of Adobe Flash Player that \nis earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly \naffected by multiple vulnerabilities : \n\n - A memory corruption vulnerability that could potentially\n lead to code execution. (CVE-2009-1862) \n\n - A vulnerability in the Microsoft Active Template Library\n (ATL) which could allow an attacker who successfully\n exploits the vulnerability to take control of the\n affected system. (CVE-2009-0901, CVE-2009-2395,\n CVE-2009-2493) \n\n - A privilege escalation vulnerability that could \n potentially lead to code execution. (CVE-2009-1863)\n\n - A heap overflow vulnerability that could potentially\n lead to code execution. (CVE-2009-1864) \n\n - A NULL pointer vulnerability that could potentially\n lead to code execution. (CVE-2009-1865) \n\n - A stack overflow vulnerability that could potentially\n lead to code execution. (CVE-2009-1866) \n\n - A clickjacking vulnerability that could allow an\n attacker to lure a web browser user into unknowingly\n clicking on a link or dialog. (CVE-2009-1867 \n\n - A URL parsing heap overflow vulnerability that could\n potentially lead to code execution. (CVE-2009-1868)\n\n - An integer overflow vulnerability that could potentially\n lead to code execution. (CVE-2009-1869) \n\n - A local sandbox vulnerability that could potentially\n lead to information disclosure when SWFs are saved to\n the hard drive. CVE-2009-1870)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb09-10.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 10.0.32.18 or later. If you are unable to upgrade\nto version 10, upgrade to version 9.0.246.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_cwe_id(59, 94, 119, 189, 200, 264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\n#\n\nif (!get_kb_item(\"SMB/Flash_Player/installed\")) exit(0);\n\ninclude (\"global_settings.inc\");\n\n# Identify vulnerable versions.\ninfo=NULL;\n\nforeach variant (make_list(\"Plugin\", \"ActiveX\"))\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n if(!isnull(vers) && !isnull(files))\n {\n foreach key (keys(vers))\n {\n ver = vers[key];\n if (ver)\n {\n iver = split(ver, sep:'.',keep:FALSE);\n for(i=0;i<max_index(iver);i++)\n iver[i] = int(iver[i]);\n if (\n (\n iver[0] == 10 && iver[1] == 0 &&\n (\n iver[2] < 22 ||\n (iver[2] == 22 && iver[3] <= 87)\n )\n ) ||\n (iver[0] == 9 && iver[1] == 0 && iver[2] < 246) ||\n iver[0] < 9\n )\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += ' - Browser Plugin (for Firefox / Netscape / Opera) :\\n';\n }\n else if (variant == \"ActiveX\")\n {\n info += ' - ActiveX control (for Internet Explorer) :\\n';\n }\n info += ' ' + file + ', ' + ver + '\\n';\n }\n }\n }\n }\n}\n\nif (info)\n{\n if (report_verbosity > 0)\n {\n # nb: each vulnerable instance adds 2 lines to 'info'.\n if (max_index(split(info)) > 2)\n inst = \"s\";\n else\n inst = \"\";\n\n report = string(\n \"\\n\",\n \"Nessus has identified the following vulnerable instance\", inst, \" of Flash\\n\",\n \"Player installed on the remote host :\\n\",\n \"\\n\",\n info\n );\n security_hole(port:get_kb_item(\"SMB/transport\"), extra:report);\n }\n else security_hole(get_kb_item(\"SMB/transport\"));\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-26T01:05:06", "description": "Specially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 / CVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 / CVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 / CVE-2009-1870)", "cvss3": {"score": null, "vector": null}, "published": "2011-01-27T00:00:00", "type": "nessus", "title": "SuSE 10 Security Update : flash-player (ZYPP Patch Number 6386)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_FLASH-PLAYER-6386.NASL", "href": "https://www.tenable.com/plugins/nessus/51731", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51731);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-1862\", \"CVE-2009-1863\", \"CVE-2009-1864\", \"CVE-2009-1865\", \"CVE-2009-1866\", \"CVE-2009-1867\", \"CVE-2009-1868\", \"CVE-2009-1869\", \"CVE-2009-1870\", \"CVE-2009-2395\", \"CVE-2009-2493\");\n\n script_name(english:\"SuSE 10 Security Update : flash-player (ZYPP Patch Number 6386)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash (SWF) files can cause a buffer overflow in\nflash-player. Attackers could potentially exploit that to execute\narbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 /\nCVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 /\nCVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 /\nCVE-2009-1870)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0901.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1862.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1863.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1864.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1865.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1866.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1867.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1868.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1869.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1870.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2395.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2493.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6386.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(59, 89, 94, 119, 189, 200, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"flash-player-9.0.246.0-0.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-23T15:54:20", "description": "The remote host is missing IE Security Update 976325.\n\nThe remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host.", "cvss3": {"score": null, "vector": null}, "published": "2009-12-08T00:00:00", "type": "nessus", "title": "MS09-072: Cumulative Security Update for Internet Explorer (976325)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2493", "CVE-2009-3671", "CVE-2009-3672", "CVE-2009-3673", "CVE-2009-3674"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "id": "SMB_NT_MS09-072.NASL", "href": "https://www.tenable.com/plugins/nessus/43064", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(43064);\n script_version(\"1.29\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2009-2493\", \"CVE-2009-3671\", \"CVE-2009-3672\", \"CVE-2009-3673\", \"CVE-2009-3674\");\n script_bugtraq_id(35828, 37085, 37188, 37212, 37213);\n script_xref(name:\"MSFT\", value:\"MS09-072\");\n script_xref(name:\"MSKB\", value:\"976325\");\n script_xref(name:\"CERT\", value:\"456745\");\n script_xref(name:\"CERT\", value:\"515749\");\n script_xref(name:\"EDB-ID\", value:\"16547\");\n\n script_name(english:\"MS09-072: Cumulative Security Update for Internet Explorer (976325)\");\n script_summary(english:\"Checks version of Mshtml.dll / MSrating.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Arbitrary code can be executed on the remote host through a web\nbrowser.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing IE Security Update 976325.\n\nThe remote version of IE is affected by several vulnerabilities that may\nallow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-072\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003,\nVista, 2008, and Windows 7.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(94, 264, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS09-072';\nkb = '976325';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 and Windows Server 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"8.0.7600.20579\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"8.0.7600.16466\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", file:\"Mshtml.dll\", version:\"8.0.6001.22956\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"Mshtml.dll\", version:\"8.0.6001.18865\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22252\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18130\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Mshtml.dll\", version:\"7.0.6001.22550\", min_version:\"7.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Mshtml.dll\", version:\"7.0.6001.18349\", min_version:\"7.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"Mshtml.dll\", version:\"7.0.6000.21148\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"Mshtml.dll\", version:\"7.0.6000.16945\", min_version:\"7.0.6000.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP x64\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.22945\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.18854\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21148\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.16945\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.4611\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Mshtml.dll\", version:\"8.0.6001.22945\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Mshtml.dll\", version:\"8.0.6001.18854\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Mshtml.dll\", version:\"8.0.6001.22945\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Mshtml.dll\", version:\"8.0.6001.18854\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Mshtml.dll\", version:\"7.0.6000.21148\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Mshtml.dll\", version:\"7.0.6000.16945\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Mshtml.dll\", version:\"7.0.6000.21148\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Mshtml.dll\", version:\"7.0.6000.16945\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6 SP1\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Msrating.dll\", version:\"6.0.2800.1996\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Mshtml.dll\", version:\"6.0.2900.5897\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Mshtml.dll\", version:\"6.0.2900.3640\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2000\n #\n # - Internet Explorer 6 w/ Service Pack 1\n hotfix_is_vulnerable(os:\"5.0\", file:\"Msrating.dll\", version:\"6.0.2800.1996\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 5.01 w/ Service Pack 4\n hotfix_is_vulnerable(os:\"5.0\", file:\"Mshtml.dll\", version:\"5.0.3882.2700\", min_version:\"5.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:05:04", "description": "The version of OpenOffice installed on the remote host is earlier than 3.2. Such versions are potentially affected by several issues : \n\n - Signatures may not be handled properly due to a vulnerability in the libxml2 library. (CVE-2006-4339)\n\n - There is an HMAC truncation authentication bypass vulnerability in the libxmlsec library. (CVE-2009-0217)\n\n - The application is bundled with a vulnerable version of the Microsoft VC++ runtime. (CVE-2009-2493)\n\n - Specially crafted XPM files are not processed properly, which could lead to arbitrary code execution. (CVE-2009-2949)\n\n - Specially crafted GIF files are not processed properly, which could lead to arbitrary code execution. (CVE-2009-2950)\n\n - Specially crafted Microsoft Word documents are not processed properly, which could lead to arbitrary code execution. (CVE-2009-3301 / CVE-2009-3302)", "cvss3": {"score": 5.6, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2010-02-15T00:00:00", "type": "nessus", "title": "OpenOffice < 3.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0217", "CVE-2009-2949", "CVE-2009-2950", "CVE-2009-3301", "CVE-2009-3302", "CVE-2006-4339", "CVE-2009-2493"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:sun:openoffice.org:*:*:*:*:*:*:*:*"], "id": "5339.PRM", "href": "https://www.tenable.com/plugins/nnm/5339", "sourceData": "Binary data 5339.prm", "cvss": {"score": 6.8, "vector": "CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:05:14", "description": "OpenOffice.org Security Team reports :\n\nFixed in OpenOffice.org 3.2\n\nCVE-2006-4339: Potential vulnerability from 3rd party libxml2 libraries\n\nCVE-2009-0217: Potential vulnerability from 3rd party libxmlsec libraries\n\nCVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable version of MSVC Runtime\n\nCVE-2009-2949: Potential vulnerability related to XPM file processing\n\nCVE-2009-2950: Potential vulnerability related to GIF file processing\n\nCVE-2009-3301/2: Potential vulnerability related to MS-Word document processing", "cvss3": {"score": null, "vector": null}, "published": "2010-03-01T00:00:00", "type": "nessus", "title": "FreeBSD : openoffice.org -- multiple vulnerabilities (c97d7a37-2233-11df-96dd-001b2134ef46)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-4339", "CVE-2009-0217", "CVE-2009-2493", "CVE-2009-2949", "CVE-2009-2950", "CVE-2009-3301", "CVE-2009-3302"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:openoffice.org", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_C97D7A37223311DF96DD001B2134EF46.NASL", "href": "https://www.tenable.com/plugins/nessus/44922", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44922);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2009-0217\", \"CVE-2009-2493\", \"CVE-2009-2949\", \"CVE-2009-2950\", \"CVE-2009-3301\", \"CVE-2009-3302\");\n\n script_name(english:\"FreeBSD : openoffice.org -- multiple vulnerabilities (c97d7a37-2233-11df-96dd-001b2134ef46)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"OpenOffice.org Security Team reports :\n\nFixed in OpenOffice.org 3.2\n\nCVE-2006-4339: Potential vulnerability from 3rd party libxml2\nlibraries\n\nCVE-2009-0217: Potential vulnerability from 3rd party libxmlsec\nlibraries\n\nCVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable\nversion of MSVC Runtime\n\nCVE-2009-2949: Potential vulnerability related to XPM file processing\n\nCVE-2009-2950: Potential vulnerability related to GIF file processing\n\nCVE-2009-3301/2: Potential vulnerability related to MS-Word document\nprocessing\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/bulletin.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2006-4339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-0217.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-2493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-2949.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-2950.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html\"\n );\n # https://vuxml.freebsd.org/freebsd/c97d7a37-2233-11df-96dd-001b2134ef46.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?57a2342e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(94, 119, 189, 264, 310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openoffice.org\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/03/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"openoffice.org<3.2.0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"openoffice.org>=3.2.20010101<3.2.20100203\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"openoffice.org>=3.3.20010101<3.3.20100207\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-16T15:33:41", "description": "The version of Sun Microsystems OpenOffice.org installed on the remote host is prior to version 3.2. It is, therefore, affected by several issues :\n\n - Signatures may not be handled properly due to a vulnerability in the libxml2 library. (CVE-2006-4339)\n\n - There is an HMAC truncation authentication bypass vulnerability in the libxmlsec library. (CVE-2009-0217)\n\n - The application is bundled with a vulnerable version of the Microsoft VC++ runtime. (CVE-2009-2493)\n\n - Specially crafted XPM files are not processed properly, which could lead to arbitrary code execution.\n (CVE-2009-2949)\n\n - Specially crafted GIF files are not processed properly, which could lead to arbitrary code execution.\n (CVE-2009-2950)\n\n - Specially crafted Microsoft Word documents are not processed properly, which could lead to arbitrary code execution. (CVE-2009-3301 / CVE-2009-3302)", "cvss3": {"score": null, "vector": null}, "published": "2010-02-12T00:00:00", "type": "nessus", "title": "Sun OpenOffice.org < 3.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-4339", "CVE-2009-0217", "CVE-2009-2493", "CVE-2009-2949", "CVE-2009-2950", "CVE-2009-3301", "CVE-2009-3302"], "modified": "2018-07-16T00:00:00", "cpe": ["cpe:/a:sun:openoffice.org"], "id": "OPENOFFICE_32.NASL", "href": "https://www.tenable.com/plugins/nessus/44597", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44597);\n script_version(\"1.14\");\n\n script_cve_id(\n \"CVE-2006-4339\", \n \"CVE-2009-0217\", \n \"CVE-2009-2493\", \n \"CVE-2009-2949\", \n \"CVE-2009-2950\", \n \"CVE-2009-3301\", \n \"CVE-2009-3302\"\n );\n script_bugtraq_id(19849, 35671, 35828, 38218);\n\n script_name(english:\"Sun OpenOffice.org < 3.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Sun OpenOffice.org.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host has a program affected by multiple buffer\noverflows.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Sun Microsystems OpenOffice.org installed on the\nremote host is prior to version 3.2. It is, therefore, affected by\nseveral issues :\n\n - Signatures may not be handled properly due to a\n vulnerability in the libxml2 library. (CVE-2006-4339)\n\n - There is an HMAC truncation authentication bypass\n vulnerability in the libxmlsec library. (CVE-2009-0217)\n\n - The application is bundled with a vulnerable version of\n the Microsoft VC++ runtime. (CVE-2009-2493)\n\n - Specially crafted XPM files are not processed properly,\n which could lead to arbitrary code execution.\n (CVE-2009-2949)\n\n - Specially crafted GIF files are not processed properly,\n which could lead to arbitrary code execution.\n (CVE-2009-2950)\n\n - Specially crafted Microsoft Word documents are not\n processed properly, which could lead to arbitrary code\n execution. (CVE-2009-3301 / CVE-2009-3302)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2006-4339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-0217.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-2493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-2949.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-2950.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to Sun Microsystems OpenOffice.org version 3.2 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(94, 119, 189, 264, 310);\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2010/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2010/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\",value:\"2010/02/12\");\n script_cvs_date(\"Date: 2018/07/16 14:09:15\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sun:openoffice.org\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"openoffice_installed.nasl\");\n script_require_keys(\"SMB/OpenOffice/Build\");\n\n exit(0);\n}\n\nbuild = get_kb_item(\"SMB/OpenOffice/Build\");\nif (build)\n{\n matches = eregmatch(string:build, pattern:\"([0-9]+[a-z][0-9]+)\\(Build:([0-9]+)\\)\");\n if (!isnull(matches))\n {\n buildid = int(matches[2]);\n if (buildid < 9483) \n security_hole(get_kb_item(\"SMB/transport\"));\n else\n exit(0,\"Build \" + buildid + \" is not affected.\");\n }\n}\nelse exit(1, \"The 'SMB/OpenOffice/Build' KB item is missing.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T15:00:18", "description": "The IBM Java 6 JRE/SDK was updated to Service Release 6, fixing various bugs and security issues.\n\nThe following security issues were fixed :\n\n - A security vulnerability in the JNLPAppletLauncher might impact users of the Sun JDK and JRE. Non-current versions of the JNLPAppletLauncher might be re-purposed with an untrusted Java applet to write arbitrary files on the system of the user downloading and running the untrusted applet. (CVE-2009-2676)\n\nThe JNLPAppletLauncher is a general purpose JNLP-based applet launcher class for deploying applets that use extension libraries containing native code.\n\n - The Java Runtime Environment includes the Java Web Start technology that uses the Java Web Start ActiveX control to launch Java Web Start in Internet Explorer. A security vulnerability in the Active Template Library (ATL) in various releases of Microsoft Visual Studio, which is used by the Java Web Start ActiveX control, might allow the Java Web Start ActiveX control to be leveraged to run arbitrary code. This might occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability. (CVE-2009-2493)\n\n - A vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to access system properties. (CVE-2009-2670)\n\n - A vulnerability with verifying HMAC-based XML digital signatures in the XML Digital Signature implementation included with the Java Runtime Environment (JRE) might allow authentication to be bypassed. Applications that validate HMAC-based XML digital signatures might be vulnerable to this type of attack. (CVE-2009-0217)\n\nNote: This vulnerability cannot be exploited by an untrusted applet or Java Web Start application.\n\n - A vulnerability in the Java Runtime Environment with the SOCKS proxy implementation might allow an untrusted applet or Java Web Start application to determine the username of the user running the applet or application.\n (CVE-2009-2671 / CVE-2009-2672)\n\nA second vulnerability in the Java Runtime Environment with the proxy mechanism implementation might allow an untrusted applet or Java Web Start application to obtain browser cookies and leverage those cookies to hijack sessions.\n\n - A vulnerability in the Java Runtime Environment with the proxy mechanism implementation might allow an untrusted applet or Java Web Start application to make non-authorized socket or URL connections to hosts other than the origin host. (CVE-2009-2673)\n\n - An integer overflow vulnerability in the Java Runtime Environment with processing JPEG images might allow an untrusted Java Web Start application to escalate privileges. For example, an untrusted application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-2674)\n\n - An integer overflow vulnerability in the Java Runtime Environment with unpacking applets and Java Web Start applications using the unpack200 JAR unpacking utility might allow an untrusted applet or application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-2675)\n\n - A vulnerability in the Java Runtime Environment (JRE) with parsing XML data might allow a remote client to create a denial-of-service condition on the system that the JRE runs on. (CVE-2009-2625)", "cvss3": {"score": null, "vector": null}, "published": "2009-11-05T00:00:00", "type": "nessus", "title": "SuSE 11 Security Update : IBM Java 1.6.0 (SAT Patch Number 1497)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0217", "CVE-2009-2493", "CVE-2009-2625", "CVE-2009-2670", "CVE-2009-2671", "CVE-2009-2672", "CVE-2009-2673", "CVE-2009-2674", "CVE-2009-2675", "CVE-2009-2676"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm", "p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm-fonts", "p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_JAVA-1_6_0-IBM-091102.NASL", "href": "https://www.tenable.com/plugins/nessus/42396", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42396);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0217\", \"CVE-2009-2493\", \"CVE-2009-2625\", \"CVE-2009-2670\", \"CVE-2009-2671\", \"CVE-2009-2672\", \"CVE-2009-2673\", \"CVE-2009-2674\", \"CVE-2009-2675\", \"CVE-2009-2676\");\n\n script_name(english:\"SuSE 11 Security Update : IBM Java 1.6.0 (SAT Patch Number 1497)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The IBM Java 6 JRE/SDK was updated to Service Release 6, fixing\nvarious bugs and security issues.\n\nThe following security issues were fixed :\n\n - A security vulnerability in the JNLPAppletLauncher might\n impact users of the Sun JDK and JRE. Non-current\n versions of the JNLPAppletLauncher might be re-purposed\n with an untrusted Java applet to write arbitrary files\n on the system of the user downloading and running the\n untrusted applet. (CVE-2009-2676)\n\nThe JNLPAppletLauncher is a general purpose JNLP-based applet launcher\nclass for deploying applets that use extension libraries containing\nnative code.\n\n - The Java Runtime Environment includes the Java Web Start\n technology that uses the Java Web Start ActiveX control\n to launch Java Web Start in Internet Explorer. A\n security vulnerability in the Active Template Library\n (ATL) in various releases of Microsoft Visual Studio,\n which is used by the Java Web Start ActiveX control,\n might allow the Java Web Start ActiveX control to be\n leveraged to run arbitrary code. This might occur as the\n result of a user of the Java Runtime Environment viewing\n a specially crafted web page that exploits this\n vulnerability. (CVE-2009-2493)\n\n - A vulnerability in the Java Runtime Environment audio\n system might allow an untrusted applet or Java Web Start\n application to access system properties. (CVE-2009-2670)\n\n - A vulnerability with verifying HMAC-based XML digital\n signatures in the XML Digital Signature implementation\n included with the Java Runtime Environment (JRE) might\n allow authentication to be bypassed. Applications that\n validate HMAC-based XML digital signatures might be\n vulnerable to this type of attack. (CVE-2009-0217)\n\nNote: This vulnerability cannot be exploited by an untrusted applet or\nJava Web Start application.\n\n - A vulnerability in the Java Runtime Environment with the\n SOCKS proxy implementation might allow an untrusted\n applet or Java Web Start application to determine the\n username of the user running the applet or application.\n (CVE-2009-2671 / CVE-2009-2672)\n\nA second vulnerability in the Java Runtime Environment with the proxy\nmechanism implementation might allow an untrusted applet or Java Web\nStart application to obtain browser cookies and leverage those cookies\nto hijack sessions.\n\n - A vulnerability in the Java Runtime Environment with the\n proxy mechanism implementation might allow an untrusted\n applet or Java Web Start application to make\n non-authorized socket or URL connections to hosts other\n than the origin host. (CVE-2009-2673)\n\n - An integer overflow vulnerability in the Java Runtime\n Environment with processing JPEG images might allow an\n untrusted Java Web Start application to escalate\n privileges. For example, an untrusted application might\n grant itself permissions to read and write local files\n or run local applications that are accessible to the\n user running the untrusted applet. (CVE-2009-2674)\n\n - An integer overflow vulnerability in the Java Runtime\n Environment with unpacking applets and Java Web Start\n applications using the unpack200 JAR unpacking utility\n might allow an untrusted applet or application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-2675)\n\n - A vulnerability in the Java Runtime Environment (JRE)\n with parsing XML data might allow a remote client to\n create a denial-of-service condition on the system that\n the JRE runs on. (CVE-2009-2625)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=548655\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0217.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2625.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2670.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2671.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2672.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2673.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2674.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2675.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2676.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 1497.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm-fonts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_6_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (pl) audit(AUDIT_OS_NOT, \"SuSE 11.0\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:0, reference:\"java-1_6_0-ibm-1.6.0_sr6-1.1.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, reference:\"java-1_6_0-ibm-fonts-1.6.0_sr6-1.1.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, reference:\"java-1_6_0-ibm-jdbc-1.6.0_sr6-1.1.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, cpu:\"i586\", reference:\"java-1_6_0-ibm-alsa-1.6.0_sr6-1.1.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, cpu:\"i586\", reference:\"java-1_6_0-ibm-plugin-1.6.0_sr6-1.1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-19T02:11:03", "description": "IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs and security issues.\n\nThe timezone update to 1.6.9s (with the latest Fiji change).\n\n - A vulnerability in the Java Runtime Environment with decoding DER encoded data might allow a remote client to cause the JRE to crash, resulting in a denial of service condition. (CVE-2009-3876 / CVE-2009-3877)\n\n - A buffer overflow vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to escalate privileges.\n For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3867)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with parsing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3868)\n\n - An integer overflow vulnerability in the Java Runtime Environment with reading JPEG files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3872)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing JPEG files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3873)\n\n - A security vulnerability in the Java Runtime Environment with verifying HMAC digests might allow authentication to be bypassed. This action can allow a user to forge a digital signature that would be accepted as valid.\n Applications that validate HMAC-based digital signatures might be vulnerable to this type of attack.\n (CVE-2009-3875)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3869)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3871)\n\n - An integer overflow vulnerability in the Java Runtime Environment with processing JPEG images might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3874)\n\n - The Java Runtime Environment includes the Java Web Start technology that uses the Java Web Start ActiveX control to launch Java Web Start in Internet Explorer. A security vulnerability in the Active Template Library (ATL) in various releases of Microsoft Visual Studio, which is used by the Java Web Start ActiveX control, might allow the Java Web Start ActiveX control to be leveraged to run arbitrary code. This might occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability. (CVE-2009-2493)\n\nPlease also see http://www.ibm.com/developerworks/java/jdk/alerts/", "cvss3": {"score": null, "vector": null}, "published": "2010-01-08T00:00:00", "type": "nessus", "title": "SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6740)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2493", "CVE-2009-3867", "CVE-2009-3868", "CVE-2009-3869", "CVE-2009-3871", "CVE-2009-3872", "CVE-2009-3873", "CVE-2009-3874", "CVE-2009-3875", "CVE-2009-3876", "CVE-2009-3877"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_JAVA-1_5_0-IBM-6740.NASL", "href": "https://www.tenable.com/plugins/nessus/43822", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(43822);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-2493\", \"CVE-2009-3867\", \"CVE-2009-3868\", \"CVE-2009-3869\", \"CVE-2009-3871\", \"CVE-2009-3872\", \"CVE-2009-3873\", \"CVE-2009-3874\", \"CVE-2009-3875\", \"CVE-2009-3876\", \"CVE-2009-3877\");\n\n script_name(english:\"SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6740)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs\nand security issues.\n\nThe timezone update to 1.6.9s (with the latest Fiji change).\n\n - A vulnerability in the Java Runtime Environment with\n decoding DER encoded data might allow a remote client to\n cause the JRE to crash, resulting in a denial of service\n condition. (CVE-2009-3876 / CVE-2009-3877)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment audio system might allow an untrusted applet\n or Java Web Start application to escalate privileges.\n For example, an untrusted applet might grant itself\n permissions to read and write local files, or run local\n applications that are accessible to the user running the\n untrusted applet. (CVE-2009-3867)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with parsing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3868)\n\n - An integer overflow vulnerability in the Java Runtime\n Environment with reading JPEG files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3872)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing JPEG files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3873)\n\n - A security vulnerability in the Java Runtime Environment\n with verifying HMAC digests might allow authentication\n to be bypassed. This action can allow a user to forge a\n digital signature that would be accepted as valid.\n Applications that validate HMAC-based digital signatures\n might be vulnerable to this type of attack.\n (CVE-2009-3875)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3869)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3871)\n\n - An integer overflow vulnerability in the Java Runtime\n Environment with processing JPEG images might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3874)\n\n - The Java Runtime Environment includes the Java Web Start\n technology that uses the Java Web Start ActiveX control\n to launch Java Web Start in Internet Explorer. A\n security vulnerability in the Active Template Library\n (ATL) in various releases of Microsoft Visual Studio,\n which is used by the Java Web Start ActiveX control,\n might allow the Java Web Start ActiveX control to be\n leveraged to run arbitrary code. This might occur as the\n result of a user of the Java Runtime Environment viewing\n a specially crafted web page that exploits this\n vulnerability. (CVE-2009-2493)\n\nPlease also see http://www.ibm.com/developerworks/java/jdk/alerts/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3867.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3868.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3869.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3871.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3872.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3873.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3874.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3875.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3876.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3877.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6740.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Java JRE AWT setDiffICM Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(119, 189, 264, 310, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"java-1_5_0-ibm-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"java-1_5_0-ibm-demo-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"java-1_5_0-ibm-devel-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"java-1_5_0-ibm-fonts-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"java-1_5_0-ibm-src-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, cpu:\"i586\", reference:\"java-1_5_0-ibm-alsa-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, cpu:\"i586\", reference:\"java-1_5_0-ibm-jdbc-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, cpu:\"i586\", reference:\"java-1_5_0-ibm-plugin-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-32bit-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-alsa-32bit-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-devel-32bit-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"java-1_5_0-ibm-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"java-1_5_0-ibm-devel-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"java-1_5_0-ibm-fonts-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, cpu:\"i586\", reference:\"java-1_5_0-ibm-alsa-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, cpu:\"i586\", reference:\"java-1_5_0-ibm-jdbc-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, cpu:\"i586\", reference:\"java-1_5_0-ibm-plugin-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-32bit-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-alsa-32bit-1.5.0_sr11-0.4.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-devel-32bit-1.5.0_sr11-0.4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-19T02:12:12", "description": "IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs and security issues. It also contains a timezone update for the current Fiji change (timezone 1.6.9s).\n\nThe update fixes the following security issues : \n\n - A vulnerability in the Java Runtime Environment with decoding DER encoded data might allow a remote client to cause the JRE to crash, resulting in a denial of service condition. (CVE-2009-3876, CVE-2009-3877)\n\n - A buffer overflow vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to escalate privileges.\n For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3867)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with parsing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3868)\n\n - An integer overflow vulnerability in the Java Runtime Environment with reading JPEG files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3872)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing JPEG files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3873)\n\n - A security vulnerability in the Java Runtime Environment with verifying HMAC digests might allow authentication to be bypassed. This action can allow a user to forge a digital signature that would be accepted as valid.\n Applications that validate HMAC-based digital signatures might be vulnerable to this type of attack.\n (CVE-2009-3875)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3869)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3871)\n\n - An integer overflow vulnerability in the Java Runtime Environment with processing JPEG images might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3874)\n\n - The Java Runtime Environment includes the Java Web Start technology that uses the Java Web Start ActiveX control to launch Java Web Start in Internet Explorer. A security vulnerability in the Active Template Library (ATL) in various releases of Microsoft Visual Studio, which is used by the Java Web Start ActiveX control, might allow the Java Web Start ActiveX control to be leveraged to run arbitrary code. This might occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability. (CVE-2009-2493)\n\nPlease also refer to http://www.ibm.com/developerworks/java/jdk/alerts for more information about this update.", "cvss3": {"score": null, "vector": null}, "published": "2009-12-27T00:00:00", "type": "nessus", "title": "SuSE9 Security Update : IBM Java 1.5.0 (YOU Patch Number 12564)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2493", "CVE-2009-3867", "CVE-2009-3868", "CVE-2009-3869", "CVE-2009-3871", "CVE-2009-3872", "CVE-2009-3873", "CVE-2009-3874", "CVE-2009-3875", "CVE-2009-3876", "CVE-2009-3877"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE9_12564.NASL", "href": "https://www.tenable.com/plugins/nessus/43599", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(43599);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-2493\", \"CVE-2009-3867\", \"CVE-2009-3868\", \"CVE-2009-3869\", \"CVE-2009-3871\", \"CVE-2009-3872\", \"CVE-2009-3873\", \"CVE-2009-3874\", \"CVE-2009-3875\", \"CVE-2009-3876\", \"CVE-2009-3877\");\n\n script_name(english:\"SuSE9 Security Update : IBM Java 1.5.0 (YOU Patch Number 12564)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 9 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs\nand security issues. It also contains a timezone update for the\ncurrent Fiji change (timezone 1.6.9s).\n\nThe update fixes the following security issues : \n\n - A vulnerability in the Java Runtime Environment with\n decoding DER encoded data might allow a remote client to\n cause the JRE to crash, resulting in a denial of service\n condition. (CVE-2009-3876, CVE-2009-3877)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment audio system might allow an untrusted applet\n or Java Web Start application to escalate privileges.\n For example, an untrusted applet might grant itself\n permissions to read and write local files, or run local\n applications that are accessible to the user running the\n untrusted applet. (CVE-2009-3867)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with parsing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3868)\n\n - An integer overflow vulnerability in the Java Runtime\n Environment with reading JPEG files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3872)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing JPEG files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3873)\n\n - A security vulnerability in the Java Runtime Environment\n with verifying HMAC digests might allow authentication\n to be bypassed. This action can allow a user to forge a\n digital signature that would be accepted as valid.\n Applications that validate HMAC-based digital signatures\n might be vulnerable to this type of attack.\n (CVE-2009-3875)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3869)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3871)\n\n - An integer overflow vulnerability in the Java Runtime\n Environment with processing JPEG images might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3874)\n\n - The Java Runtime Environment includes the Java Web Start\n technology that uses the Java Web Start ActiveX control\n to launch Java Web Start in Internet Explorer. A\n security vulnerability in the Active Template Library\n (ATL) in various releases of Microsoft Visual Studio,\n which is used by the Java Web Start ActiveX control,\n might allow the Java Web Start ActiveX control to be\n leveraged to run arbitrary code. This might occur as the\n result of a user of the Java Runtime Environment viewing\n a specially crafted web page that exploits this\n vulnerability. (CVE-2009-2493)\n\nPlease also refer to http://www.ibm.com/developerworks/java/jdk/alerts\nfor more information about this update.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3867.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3868.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3869.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3871.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3872.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3873.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3874.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3875.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3876.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3877.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply YOU patch number 12564.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Java JRE AWT setDiffICM Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(119, 189, 264, 310, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 9 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SUSE9\", reference:\"IBMJava5-JRE-1.5.0-0.76\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"IBMJava5-SDK-1.5.0-0.76\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-19T02:00:03", "description": "IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs and security issues.\n\nThe timezone update to 1.6.9s (with the latest Fiji change).\n\n - A vulnerability in the Java Runtime Environment with decoding DER encoded data might allow a remote client to cause the JRE to crash, resulting in a denial of service condition. (CVE-2009-3876 / CVE-2009-3877)\n\n - A buffer overflow vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to escalate privileges.\n For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3867)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with parsing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3868)\n\n - An integer overflow vulnerability in the Java Runtime Environment with reading JPEG files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3872)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing JPEG files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3873)\n\n - A security vulnerability in the Java Runtime Environment with verifying HMAC digests might allow authentication to be bypassed. This action can allow a user to forge a digital signature that would be accepted as valid.\n Applications that validate HMAC-based digital signatures might be vulnerable to this type of attack.\n (CVE-2009-3875)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3869)\n\n - A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3871)\n\n - An integer overflow vulnerability in the Java Runtime Environment with processing JPEG images might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. (CVE-2009-3874)\n\n - The Java Runtime Environment includes the Java Web Start technology that uses the Java Web Start ActiveX control to launch Java Web Start in Internet Explorer. A security vulnerability in the Active Template Library (ATL) in various releases of Microsoft Visual Studio, which is used by the Java Web Start ActiveX control, might allow the Java Web Start ActiveX control to be leveraged to run arbitrary code. This might occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability. (CVE-2009-2493)\n\nPlease also see http://www.ibm.com/developerworks/java/jdk/alerts/", "cvss3": {"score": null, "vector": null}, "published": "2010-10-11T00:00:00", "type": "nessus", "title": "SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6741)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2493", "CVE-2009-3867", "CVE-2009-3868", "CVE-2009-3869", "CVE-2009-3871", "CVE-2009-3872", "CVE-2009-3873", "CVE-2009-3874", "CVE-2009-3875", "CVE-2009-3876", "CVE-2009-3877"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_JAVA-1_5_0-IBM-6741.NASL", "href": "https://www.tenable.com/plugins/nessus/49863", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49863);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-2493\", \"CVE-2009-3867\", \"CVE-2009-3868\", \"CVE-2009-3869\", \"CVE-2009-3871\", \"CVE-2009-3872\", \"CVE-2009-3873\", \"CVE-2009-3874\", \"CVE-2009-3875\", \"CVE-2009-3876\", \"CVE-2009-3877\");\n\n script_name(english:\"SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6741)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs\nand security issues.\n\nThe timezone update to 1.6.9s (with the latest Fiji change).\n\n - A vulnerability in the Java Runtime Environment with\n decoding DER encoded data might allow a remote client to\n cause the JRE to crash, resulting in a denial of service\n condition. (CVE-2009-3876 / CVE-2009-3877)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment audio system might allow an untrusted applet\n or Java Web Start application to escalate privileges.\n For example, an untrusted applet might grant itself\n permissions to read and write local files, or run local\n applications that are accessible to the user running the\n untrusted applet. (CVE-2009-3867)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with parsing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3868)\n\n - An integer overflow vulnerability in the Java Runtime\n Environment with reading JPEG files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3872)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing JPEG files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files, or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3873)\n\n - A security vulnerability in the Java Runtime Environment\n with verifying HMAC digests might allow authentication\n to be bypassed. This action can allow a user to forge a\n digital signature that would be accepted as valid.\n Applications that validate HMAC-based digital signatures\n might be vulnerable to this type of attack.\n (CVE-2009-3875)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3869)\n\n - A buffer overflow vulnerability in the Java Runtime\n Environment with processing image files might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3871)\n\n - An integer overflow vulnerability in the Java Runtime\n Environment with processing JPEG images might allow an\n untrusted applet or Java Web Start application to\n escalate privileges. For example, an untrusted applet\n might grant itself permissions to read and write local\n files or run local applications that are accessible to\n the user running the untrusted applet. (CVE-2009-3874)\n\n - The Java Runtime Environment includes the Java Web Start\n technology that uses the Java Web Start ActiveX control\n to launch Java Web Start in Internet Explorer. A\n security vulnerability in the Active Template Library\n (ATL) in various releases of Microsoft Visual Studio,\n which is used by the Java Web Start ActiveX control,\n might allow the Java Web Start ActiveX control to be\n leveraged to run arbitrary code. This might occur as the\n result of a user of the Java Runtime Environment viewing\n a specially crafted web page that exploits this\n vulnerability. (CVE-2009-2493)\n\nPlease also see http://www.ibm.com/developerworks/java/jdk/alerts/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-2493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3867.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3868.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3869.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3871.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3872.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3873.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3874.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3875.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3876.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3877.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6741.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Java JRE AWT setDiffICM Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(119, 189, 264, 310, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"java-1_5_0-ibm-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"java-1_5_0-ibm-demo-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"java-1_5_0-ibm-devel-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"java-1_5_0-ibm-fonts-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"java-1_5_0-ibm-src-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"i586\", reference:\"java-1_5_0-ibm-jdbc-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"i586\", reference:\"java-1_5_0-ibm-plugin-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-32bit-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-alsa-32bit-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-devel-32bit-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"java-1_5_0-ibm-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"java-1_5_0-ibm-devel-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"java-1_5_0-ibm-fonts-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"i586\", reference:\"java-1_5_0-ibm-jdbc-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"i586\", reference:\"java-1_5_0-ibm-plugin-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-32bit-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-alsa-32bit-1.5.0_sr11-0.4.2\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"java-1_5_0-ibm-devel-32bit-1.5.0_sr11-0.4.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-16T15:50:08", "description": "According to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-03T00:00:00", "type": "nessus", "title": "Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2008-0015", "CVE-2008-0020", "CVE-2008-4038", "CVE-2008-4114", "CVE-2008-4250", "CVE-2008-4609", "CVE-2008-4835", "CVE-2009-0086", "CVE-2009-0089", "CVE-2009-0550", "CVE-2009-0901", "CVE-2009-1925", "CVE-2009-1926", "CVE-2009-1930", "CVE-2009-2493", "CVE-2009-2494", "CVE-2009-2505", "CVE-2009-3676", "CVE-2009-3677", "CVE-2009-3678", "CVE-2010-0020", "CVE-2010-0021", "CVE-2010-0022", "CVE-2010-0231", "CVE-2010-0239", "CVE-2010-0240", "CVE-2010-0241", "CVE-2010-0242", "CVE-2010-0269", "CVE-2010-0270", "CVE-2010-0476", "CVE-2010-0477", "CVE-2010-1263", "CVE-2010-2550", "CVE-2010-2551", "CVE-2010-2552"], "modified": "2020-08-05T00:00:00", "cpe": [], "id": "WIN_SERVER_2008_NTLM_PCI.NASL", "href": "https://www.tenable.com/plugins/nessus/108811", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108811);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\n \"CVE-2008-0015\",\n \"CVE-2008-0020\",\n \"CVE-2008-4038\",\n \"CVE-2008-4114\",\n \"CVE-2008-4250\",\n \"CVE-2008-4609\",\n \"CVE-2008-4835\",\n \"CVE-2009-0086\",\n \"CVE-2009-0089\",\n \"CVE-2009-0550\",\n \"CVE-2009-0901\",\n \"CVE-2009-1925\",\n \"CVE-2009-1926\",\n \"CVE-2009-1930\",\n \"CVE-2009-2493\",\n \"CVE-2009-2494\",\n \"CVE-2009-2505\",\n \"CVE-2009-3676\",\n \"CVE-2009-3677\",\n \"CVE-2009-3678\",\n \"CVE-2010-0020\",\n \"CVE-2010-0021\",\n \"CVE-2010-0022\",\n \"CVE-2010-0231\",\n \"CVE-2010-0239\",\n \"CVE-2010-0240\",\n \"CVE-2010-0241\",\n \"CVE-2010-0242\",\n \"CVE-2010-0269\",\n \"CVE-2010-0270\",\n \"CVE-2010-0476\",\n \"CVE-2010-0477\",\n \"CVE-2010-1263\",\n \"CVE-2010-2550\",\n \"CVE-2010-2551\",\n \"CVE-2010-2552\"\n );\n script_bugtraq_id(\n 31179,\n 31545,\n 31647,\n 31874,\n 33121,\n 33122,\n 34435,\n 34437,\n 34439,\n 35558,\n 35585,\n 35828,\n 35832,\n 35982,\n 35993,\n 36265,\n 36269,\n 36989,\n 37197,\n 37198,\n 38049,\n 38051,\n 38054,\n 38061,\n 38062,\n 38063,\n 38064,\n 38085,\n 39312,\n 39336,\n 39339,\n 39340,\n 40237,\n 40574,\n 42224,\n 42263,\n 42267\n );\n script_xref(name:\"CERT\", value:\"827267\");\n script_xref(name:\"IAVA\", value:\"2008-A-0081-S\");\n script_xref(name:\"IAVA\", value:\"2009-A-0077-S\");\n script_xref(name:\"IAVA\", value:\"2009-A-0126-S\");\n script_xref(name:\"IAVA\", value:\"2010-A-0030-S\");\n script_xref(name:\"IAVB\", value:\"2009-B-0037-S\");\n script_xref(name:\"CERT\", value:\"180513\");\n script_xref(name:\"CERT\", value:\"456745\");\n script_xref(name:\"EDB-ID\", value:\"6463\");\n script_xref(name:\"EDB-ID\", value:\"6824\");\n script_xref(name:\"EDB-ID\", value:\"7104\");\n script_xref(name:\"EDB-ID\", value:\"7132\");\n script_xref(name:\"EDB-ID\", value:\"9108\");\n script_xref(name:\"EDB-ID\", value:\"16615\");\n script_xref(name:\"EDB-ID\", value:\"14607\");\n script_xref(name:\"MSFT\", value:\"MS08-063\");\n script_xref(name:\"MSFT\", value:\"MS08-067\");\n script_xref(name:\"MSFT\", value:\"MS09-001\");\n script_xref(name:\"MSFT\", value:\"MS09-013\");\n script_xref(name:\"MSFT\", value:\"MS09-037\");\n script_xref(name:\"MSFT\", value:\"MS09-042\");\n script_xref(name:\"MSFT\", value:\"MS09-048\");\n script_xref(name:\"MSFT\", value:\"MS09-071\");\n script_xref(name:\"MSFT\", value:\"MS10-009\");\n script_xref(name:\"MSFT\", value:\"MS10-012\");\n script_xref(name:\"MSFT\", value:\"MS10-020\");\n script_xref(name:\"MSFT\", value:\"MS10-043\");\n script_xref(name:\"MSFT\", value:\"MS10-054\");\n script_xref(name:\"MSFT\", value:\"MS10-083\");\n script_xref(name:\"MSKB\", value:\"957095\");\n script_xref(name:\"MSKB\", value:\"958644\");\n script_xref(name:\"MSKB\", value:\"958687\");\n script_xref(name:\"MSKB\", value:\"960803\");\n script_xref(name:\"MSKB\", value:\"967723\");\n script_xref(name:\"MSKB\", value:\"960859\");\n script_xref(name:\"MSKB\", value:\"973354\");\n script_xref(name:\"MSKB\", value:\"973507\");\n script_xref(name:\"MSKB\", value:\"973540\");\n script_xref(name:\"MSKB\", value:\"973815\");\n script_xref(name:\"MSKB\", value:\"973869\");\n script_xref(name:\"MSKB\", value:\"974318\");\n script_xref(name:\"MSKB\", value:\"971468\");\n script_xref(name:\"MSKB\", value:\"974145\");\n script_xref(name:\"MSKB\", value:\"980232\");\n script_xref(name:\"MSKB\", value:\"979687\");\n script_xref(name:\"MSKB\", value:\"982214\");\n script_xref(name:\"MSKB\", value:\"2032276\");\n\n script_name(english:\"Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)\");\n script_summary(english:\"Checks the OS version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host may allow remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version number obtained by NTLM the\nremote host has Windows Server 2008 installed. The host\nmay be vulnerable to a number of vulnerabilities including\nremote unauthenticated code execution.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Ensure the appropriate patches have been applied.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:ND/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:X/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2008-4038\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 20, 94, 119, 189, 255, 264, 287, 310, 362, 399);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smtp_ntlm_info.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"Settings/PCI_DSS\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\ninclude(\"audit.inc\");\n\nif (!get_kb_item(\"Settings/PCI_DSS\"))\n{\n audit(AUDIT_PCI);\n}\n\nif (report_paranoia < 2)\n{\n audit(AUDIT_PARANOID);\n}\n\nport = get_kb_item_or_exit(\"Services/smtp\");\nos_version = get_kb_item_or_exit(\"smtp/\"+port+\"/ntlm/host/os_version\");\nif (os_version != \"6.0.6001\")\n{\n audit(AUDIT_OS_SP_NOT_VULN);\n}\n\nsecurity_report_v4(severity:SECURITY_HOLE, port:port);\nexit(0);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-08T14:05:36", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-060.", "cvss3": {}, "published": "2009-10-14T00:00:00", "type": "openvas", "title": "MS ATL ActiveX Controls for MS Office Could Allow Remote Code Execution (973965)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "modified": "2020-01-07T00:00:00", "id": "OPENVAS:1361412562310901040", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901040", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MS ATL ActiveX Controls for MS Office Could Allow Remote Code Execution (973965)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901040\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-10-14 16:47:08 +0200 (Wed, 14 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-2493\", \"CVE-2009-2495\");\n script_bugtraq_id(35828, 35830, 35832);\n script_name(\"MS ATL ActiveX Controls for MS Office Could Allow Remote Code Execution (973965)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Prdts/Installed\");\n\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/2895\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute arbitrary\n code with SYSTEM privileges, and can cause Denial of Service.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Office Outlook 2002/2003/2007\n\n - Microsoft Office Visio Viewer 2007\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to\n\n - Error in the Microsoft Active Template Library (ATL) within the ATL headers\n that handle instantiation of an object from data streams.\n\n - Error in the ATL headers, which could allow a string to be read with no ending\n NULL bytes, which could allow an attacker to manipulate a string to read extra\n data beyond the end of the string and thus disclose information in memory.\n\n - Error in the Microsoft Active Template Library (ATL) headers, which could allow\n attackers to call 'VariantClear()' on a variant that has not been correctly\n initialized, leading to arbitrary code execution.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS09-060.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nvisVer = get_kb_item(\"SMB/Office/Outlook/Version\");\nif(visVer =~ \"^1[0-2]\\.\")\n{\n if(version_in_range(version:visVer, test_version:\"10.0\", test_version2:\"10.0.6855\") ||\n version_in_range(version:visVer, test_version:\"11.0\", test_version2:\"11.0.8311\") ||\n version_in_range(version:visVer, test_version:\"12.0\", test_version2:\"12.0.6514.4999\"))\n {\n report = report_fixed_ver(installed_version:visVer, vulnerable_range:\"10.0-10.0.6855, 11.0 - 11.0.8311, 12.0 - 12.0.6514.4999\");\n security_message(port:0, data:report);\n exit(0);\n }\n}\n\nvisioVer = get_kb_item(\"SMB/Office/VisioViewer/Ver\");\nif(visioVer =~ \"^12\\.\")\n{\n if(version_in_range(version:visioVer, test_version:\"12.0\", test_version2:\"12.0.6513.4999\")){\n report = report_fixed_ver(installed_version:visioVer, vulnerable_range:\"12.0 - 12.0.6513.4999\");\n security_message(port:0, data:report);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T14:05:35", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-035.", "cvss3": {}, "published": "2009-08-03T00:00:00", "type": "openvas", "title": "Microsoft Visual Studio ATL Remote Code Execution Vulnerability (969706)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "modified": "2020-01-07T00:00:00", "id": "OPENVAS:1361412562310900809", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900809", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Visual Studio ATL Remote Code Execution Vulnerability (969706)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900809\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-08-03 06:30:10 +0200 (Mon, 03 Aug 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-2493\", \"CVE-2009-2495\");\n script_bugtraq_id(35832, 35828, 35830);\n script_name(\"Microsoft Visual Studio ATL Remote Code Execution Vulnerability (969706)\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/default.aspx/kb/969706\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_visual_prdts_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"Microsoft/VisualStudio_or_VisualStudio.Net/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the attacker execute arbitrary code which may\n result in memory corruption on the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Visual Studio 2005 SP 1 and prior\n\n - Microsoft Visual Studio 2008 SP 1 and prior\n\n - Microsoft Visual Studio .NET 2003 SP 1 and prior\");\n\n script_tag(name:\"insight\", value:\"- An error in the ATL headers when handling persisted streams can be exploited\n to cause VariantClear function to be called on a VARIANT that has not been\n correctly initialised via a specially crafted web page.\n\n - An error in the ATL headers when handling object instantiation from data\n streams may allow bypassing of security policies such as kill-bits in\n Internet Explorer if a control or component uses OleLoadFromStream function in an unsafe manner.\n\n - An error in ATL may result in a string being read without terminating NULL\n bytes, which can be exploited to disclose memory contents beyond the end of the string.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS09-035.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n# MS09-035 Hotfix check\nif((hotfix_missing(name:\"971089\") == 0)||(hotfix_missing(name:\"971090\") == 0)||\n (hotfix_missing(name:\"971091\") == 0)||(hotfix_missing(name:\"971092\") == 0)){\n exit(0);\n}\n\nvisStudVer = get_kb_item(\"Microsoft/VisualStudio/Ver\");\n\nif(visStudVer && visStudVer =~ \"^[89]\\.\")\n{\n studioPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\VisualStudio\\8.0\", item:\"InstallDir\");\n if(studioPath)\n atlPath = studioPath - \"\\Common7\\IDE\" + \"VC\\redist\\x86\\Microsoft.VC80.ATL\\atl80.dll\";\n else\n {\n studioPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\VisualStudio\\9.0\", item:\"InstallDir\");\n if(studioPath){\n atlPath = studioPath - \"\\Common7\\IDE\" + \"VC\\redist\\x86\\Microsoft.VC90.ATL\\atl90.dll\";\n }\n }\n\n if(atlPath)\n {\n share = ereg_replace(pattern:\"([A-Za-z]):.*\", replace:\"\\1$\", string:atlPath);\n file = ereg_replace(pattern:\"[A-Za-z]:(.*)\", replace:\"\\1\", string:atlPath);\n atlVer = GetVer(file:file, share:share);\n\n if(atlVer && atlVer =~ \"^[89]\\.\")\n {\n # VC++ 2008 version 9.0.20000.0 < 9.0.21022.218 and\n # VC++ 2008 SP1 version 9.0.30000.0 < 9.0.30729.4148\n if(version_in_range(version:atlVer, test_version:\"8.0\", test_version2:\"8.0.50727.4052\") ||\n version_in_range(version:atlVer, test_version:\"9.0.20000.0\", test_version2:\"9.0.21022.217\") ||\n version_in_range(version:atlVer, test_version:\"9.0.30000.0\", test_version2:\"9.0.30729.4147\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\nvisStudNetVer = get_kb_item(\"Microsoft/VisualStudio.Net/Ver\");\n\nif(visStudNetVer && visStudNetVer =~ \"^7\\.\")\n{\n vsnfile1 = registry_get_sz(key:\"SOFTWARE\\Microsoft\\COM3\\Setup\", item:\"Install Path\");\n if(!vsnfile1){\n exit(0);\n }\n\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:vsnfile1);\n vsnfile2 = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:vsnfile1 + \"\\atl71.dll\");\n vsnetVer = GetVer(file:vsnfile2, share:share);\n\n if(vsnetVer && vsnetVer =~ \"^7\\.\")\n {\n if(version_in_range(version:vsnetVer, test_version:\"7.0\", test_version2:\"7.10.6100.0\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-20T08:56:00", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-060.", "cvss3": {}, "published": "2009-10-14T00:00:00", "type": "openvas", "title": "MS ATL ActiveX Controls for MS Office Could Allow Remote Code Execution (973965)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "modified": "2017-07-05T00:00:00", "id": "OPENVAS:901040", "href": "http://plugins.openvas.org/nasl.php?oid=901040", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms09-060.nasl 6533 2017-07-05 08:41:34Z santu $\n#\n# MS ATL ActiveX Controls for MS Office Could Allow Remote Code Execution (973965)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Antu Sanadi <santu@secpod.com> on 2010-03-23\n# Removed the 'hotfix_missing()' function\n#\n# Updated By: Rachana Shetty <srachana@secpod.com> on 2012-05-28\n# Added get_kb_item for application confirmation of Visio Viewer\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to execute arbitrary\n code with SYSTEM privileges, and can cause Denial of Service.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Office Outlook 2002/2003/2007\n Microsoft Office Visio Viewer 2007\";\ntag_insight = \"Multiple flaws are due to\n - Error in the Microsoft Active Template Library (ATL) within the ATL headers\n that handle instantiation of an object from data streams.\n - Error in the ATL headers, which could allow a string to be read with no ending\n NULL bytes, which could allow an attacker to manipulate a string to read extra\n data beyond the end of the string and thus disclose information in memory.\n - Error in the Microsoft Active Template Library (ATL) headers, which could allow\n attackers to call 'VariantClear()' on a variant that has not been correctly\n initialized, leading to arbitrary code execution.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms09-060\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS09-060.\";\n\nif(description)\n{\n script_id(901040);\n script_version(\"$Revision: 6533 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 10:41:34 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-14 16:47:08 +0200 (Wed, 14 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-2493\",\"CVE-2009-2495\");\n script_bugtraq_id(35828, 35830, 35832);\n script_name(\"MS ATL ActiveX Controls for MS Office Could Allow Remote Code Execution (973965)\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/2895\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms09-060\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Prdts/Installed\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nvisVer = get_kb_item(\"SMB/Office/Outlook/Version\");\nif(visVer)\n{\n #Check for Office OutLook < 10.0.6856.0 ,11.0.8312.0, 12.0.6514.5000\n if(version_in_range(version:visVer, test_version:\"10.0\", test_version2:\"10.0.6855\") ||\n version_in_range(version:visVer, test_version:\"11.0\", test_version2:\"11.0.8311\") ||\n version_in_range(version:visVer, test_version:\"12.0\", test_version2:\"12.0.6514.4999\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\nvisioVer = get_kb_item(\"SMB/Office/VisioViewer/Ver\");\nif(visioVer)\n{\n #Check for Microsoft Office Visio Viewer < 12.0.6513.5000\n if(version_in_range(version:visioVer, test_version:\"12.0\", test_version2:\"12.0.6513.4999\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-19T10:55:12", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-035.", "cvss3": {}, "published": "2009-08-03T00:00:00", "type": "openvas", "title": "Microsoft Visual Studio ATL Remote Code Execution Vulnerability (969706)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "modified": "2017-07-04T00:00:00", "id": "OPENVAS:900809", "href": "http://plugins.openvas.org/nasl.php?oid=900809", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms09-035.nasl 6517 2017-07-04 13:34:20Z cfischer $\n#\n# Microsoft Visual Studio ATL Remote Code Execution Vulnerability (969706)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the attacker execute arbitrary code which may\n result in memory corruption on the affected system.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Visual Studio 2005 SP 1 and prior\n Microsoft Visual Studio 2008 SP 1 and prior\n Microsoft Visual Studio .NET 2003 SP 1 and prior\";\ntag_insight = \"- An error in the ATL headers when handling persisted streams can be exploited\n to cause VariantClear function to be called on a VARIANT that has not been\n correctly initialised via a specially crafted web page.\n - An error in the ATL headers when handling object instantiation from data\n streams may allow bypassing of security policies such as kill-bits in\n Internet Explorer if a control or component uses OleLoadFromStream function\n in an unsafe manner.\n - An error in ATL may result in a string being read without terminating NULL\n bytes, which can be exploited to disclose memory contents beyond the end of\n the string.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link.\n http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS09-035.\";\n\nif(description)\n{\n script_id(900809);\n script_version(\"$Revision: 6517 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-04 15:34:20 +0200 (Tue, 04 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-03 06:30:10 +0200 (Mon, 03 Aug 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-0901\", \"CVE-2009-2493\", \"CVE-2009-2495\");\n script_bugtraq_id(35832, 35828, 35830);\n script_name(\"Microsoft Visual Studio ATL Remote Code Execution Vulnerability (969706)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/35967/\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/default.aspx/kb/969706\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_visual_prdts_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"Microsoft/VisualStudio_or_VisualStudio.Net/Installed\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n# MS09-035 Hotfix check\nif((hotfix_missing(name:\"971089\") == 0)||(hotfix_missing(name:\"971090\") == 0)||\n (hotfix_missing(name:\"971091\") == 0)||(hotfix_missing(name:\"971092\") == 0)){\n exit(0);\n}\n\n# Check for Visual Studio 2005 SP1/2008/2008 SP1\nif(egrep(pattern:\"^(8|9)\\..*\", string:get_kb_item(\"Microsoft/VisualStudio/Ver\")))\n{\n studioPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\VisualStudio\\8.0\",\n item:\"InstallDir\");\n if(studioPath)\n atlPath = studioPath - \"\\Common7\\IDE\" + \"VC\\redist\\x86\\Microsoft.VC80.ATL\" +\n \"\\atl80.dll\";\n else\n {\n studioPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\VisualStudio\\9.0\",\n item:\"InstallDir\");\n if(studioPath){\n atlPath = studioPath - \"\\Common7\\IDE\" + \"VC\\redist\\x86\\Microsoft.VC90.ATL\"+\n \"\\atl90.dll\";\n }\n }\n\n if(atlPath != NULL)\n {\n share = ereg_replace(pattern:\"([A-Za-z]):.*\", replace:\"\\1$\", string:atlPath);\n file = ereg_replace(pattern:\"[A-Za-z]:(.*)\", replace:\"\\1\", string:atlPath);\n atlVer = GetVer(file:file, share:share);\n\n if(atlVer != NULL)\n {\n # Grep for VC++ 2005 version 8.0 < 8.0.50727.4053,\n # VC++ 2008 version 9.0.20000.0 < 9.0.21022.218 and\n # VC++ 2008 SP1 version 9.0.30000.0 < 9.0.30729.4148\n if(version_in_range(version:atlVer, test_version:\"8.0\",\n test_version2:\"8.0.50727.4052\") ||\n version_in_range(version:atlVer, test_version:\"9.0.20000.0\",\n test_version2:\"9.0.21022.217\") ||\n version_in_range(version:atlVer, test_version:\"9.0.30000.0\",\n test_version2:\"9.0.30729.4147\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\n# Check for Visual Studio .Net 2003\nif(egrep(pattern:\"^(7)\\..*\", string:get_kb_item(\"Microsoft/VisualStudio.Net/Ver\")))\n{\n vsnfile1 = registry_get_sz(key:\"SOFTWARE\\Microsoft\\COM3\\Setup\", item:\"Install Path\");\n if(!vsnfile1){\n exit(0);\n }\n\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:vsnfile1);\n vsnfile2 = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\",\n string:vsnfile1 + \"\\atl71.dll\");\n vsnetVer = GetVer(file:vsnfile2, share:share);\n\n if(vsnetVer)\n {\n # Grep for atl71.dll Version 7.0 < 7.10.6101.0\n if(version_in_range(version:vsnetVer, test_version:\"7.0\",\n test_version2:\"7.10.6100.0\")){\n security_message(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-10T20:03:17", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-037.", "cvss3": {}, "published": "2009-08-14T00:00:00", "type": "openvas", "title": "Vulnerabilities in Microsoft ATL Could Allow Remote Code Execution (973908)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2494", "CVE-2009-2493", "CVE-2008-0015", "CVE-2008-0020", "CVE-2009-0901"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562310101100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310101100", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Vulnerabilities in Microsoft ATL Could Allow Remote Code Execution (973908)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-30\n# - To detect required file versions on vista and win 2008\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.101100\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-08-14 07:53:52 +0200 (Fri, 14 Aug 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2008-0015\", \"CVE-2008-0020\", \"CVE-2009-0901\",\n \"CVE-2009-2493\", \"CVE-2009-2494\");\n script_bugtraq_id(35558, 35585, 35832, 35828, 35982);\n script_name(\"Vulnerabilities in Microsoft ATL Could Allow Remote Code Execution (973908)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/36187\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/973908\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/2232\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attacker execute arbitrary code on\n the vulnerable system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Media Player 9/10/11\n\n - Microsoft Outlook Express 6 Service Pack 1\n\n - Microsoft Outlook Express 5.5 Service Pack 2\n\n - Microsoft Windows 2K Service Pack 4 and prior\n\n - Microsoft Windows XP Service Pack 3 and prior\n\n - Microsoft Windows 2003 Service Pack 2 and prior\n\n - Microsoft Windows Vista Service Pack 1/2 and prior\n\n - Microsoft Windows Server 2008 Service Pack 1/2 and prior\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to:\n\n - Bug in the ATL header that could allow reading a variant from a stream and\n leaving the variant type read with an invalid variant. When deleting the\n variant, it is possible to free unintended areas in memory that could be\n controlled by an attacker.\n\n - Error in 'CComVariant::ReadFromStream()' function used in the ATL header.\n This function does not properly restrict untrusted data read from a stream.\n\n - An bug in the ATL headers that could allow an attacker to force VariantClear\n to be called on a VARIANT that has not been correctly initialized.\n\n - Bugs in the ATL headers that handle instantiation of an object from data\n streams.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS09-037.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(win2k:5, xp:4, win2003:3, winVista:3, win2008:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(sysPath)\n{\n # For Windows ATL Component\n sysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\atl.dll\");\n if(sysVer != NULL)\n {\n if(hotfix_check_sp(win2k:5) > 0)\n {\n if(version_is_less(version:sysVer, test_version:\"3.0.9794.0\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if((\"Service Pack 2\" >< SP) || (\"Service Pack 3\" >< SP))\n {\n if(version_is_less(version:sysVer, test_version:\"3.5.2284.2\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"3.5.2284.2\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n\n if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n {\n if(version_is_less(version:sysVer, test_version:\"3.5.2284.2\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n\n mpVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\wmp.dll\");\n if(mpVer != NULL)\n {\n if(hotfix_check_sp(win2k:5) > 0)\n {\n if(version_is_less(version:mpVer, test_version:\"9.0.0.3364\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:mpVer, test_version:\"9.0\", test_version2:\"9.0.0.3363\")||\n version_in_range(version:mpVer, test_version:\"10.0\", test_version2:\"10.0.0.4073\")||\n version_in_range(version:mpVer, test_version:\"11.0\", test_version2:\"11.0.5721.5267\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(\"Service Pack 3\" >< SP)\n {\n if(version_in_range(version:mpVer, test_version:\"9.0\", test_version2:\"9.0.0.4506\")||\n version_in_range(version:mpVer, test_version:\"10.0\", test_version2:\"10.0.0.4073\")||\n version_in_range(version:mpVer, test_version:\"11.0\", test_version2:\"11.0.5721.5267\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:mpVer, test_version:\"10.0\", test_version2:\"10.0.0.4005\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n\n if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n {\n if(version_in_range(version:mpVer, test_version:\"11.0\", test_version2:\"11.0.6000.6351\") ||\n version_in_range(version:mpVer, test_version:\"11.0.6000.6500\", test_version2:\"11.0.6000.6510\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:mpVer, test_version:\"11.0.6001.7000\", test_version2:\"11.0.6001.7006\") ||\n version_in_range(version:mpVer, test_version:\"11.0.6001.7100\", test_version2:\"11.0.6001.7113\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:mpVer, test_version:\"11.0.6002.18000\", test_version2:\"11.0.6002.18064\") ||\n version_in_range(version:mpVer, test_version:\"11.0.6002.22000\", test_version2:\"11.0.6002.22171\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n\n # For Microsoft MSWebDVD ActiveX Control\n msVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mswebdvd.dll\");\n if(msVer)\n {\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:msVer, test_version:\"6.5.2600.3610\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(\"Service Pack 3\" >< SP)\n {\n if(version_is_less(version:msVer, test_version:\"6.5.2600.5857\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:msVer, test_version:\"6.5.3790.4565\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n\n # For Microsoft HtmlInput Object ActiveX Control\n webVer = fetch_file_version(sysPath:sysPath, file_name:\"ehome\\Ehkeyctl.dll\");\n if(webVer)\n {\n if(hotfix_check_sp(winVista:3) > 0)\n {\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:webVer, test_version:\"6.0.6001.18000\", test_version2:\"6.0.6001.18294\")||\n version_in_range(version:webVer, test_version:\"6.0.6001.22000\", test_version2:\"6.0.6001.22475\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:webVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18071\") ||\n version_in_range(version:webVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.22180\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n# Microsoft Outlook Express 5.5 Service Pack 2 or 6 Service Pack 1\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\nif(sysPath != NULL)\n{\n dllVer = fetch_file_version(sysPath:sysPath, file_name:\"Outlook Express\\msoe.dll\");\n\n if(dllVer != NULL)\n {\n if(hotfix_check_sp(win2k:5) > 0)\n {\n if(version_in_range(version:dllVer, test_version:\"5.5\", test_version2:\"5.50.5003.999\")||\n version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.2800.1982\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.2900.3597\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(\"Service Pack 3\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.2900.5842\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.3790.4547\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n# For DHTML Editing Component ActiveX Control\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\nif(sysPath != NULL)\n{\n ocxVer = fetch_file_version(sysPath:sysPath, file_name:\"Common Files\\Microsoft Shared\\Triedit\\Dhtmled.ocx\");\n\n if(ocxVer != NULL)\n {\n if(hotfix_check_sp(win2k:5) > 0)\n {\n if(version_is_less(version:ocxVer, test_version:\"6.1.0.9234\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if((\"Service Pack 2\" >< SP) || (\"Service Pack 3\" >< SP))\n {\n if(version_is_less(version:ocxVer, test_version:\"6.1.0.9247\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:ocxVer, test_version:\"6.1.0.9247\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:14:14", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-037.", "cvss3": {}, "published": "2009-08-14T00:00:00", "type": "openvas", "title": "Vulnerabilities in Microsoft ATL Could Allow Remote Code Execution (973908)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2494", "CVE-2009-2493", "CVE-2008-0015", "CVE-2008-0020", "CVE-2009-0901"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:101100", "href": "http://plugins.openvas.org/nasl.php?oid=101100", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms09-037.nasl 5363 2017-02-20 13:07:22Z cfi $\n#\n# Vulnerabilities in Microsoft ATL Could Allow Remote Code Execution (973908)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-30\n# - To detect required file versions on vista and win 2008\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attacker execute arbitrary code on\n the vulnerable system.\n Impact Level: System\";\ntag_affected = \"Windows Media Player 9/10/11\n Microsoft Outlook Express 6 Service Pack 1\n Microsoft Outlook Express 5.5 Service Pack 2\n Microsoft Windows 2K Service Pack 4 and prior\n Microsoft Windows XP Service Pack 3 and prior\n Microsoft Windows 2003 Service Pack 2 and prior\n Microsoft Windows Vista Service Pack 1/2 and prior\n Microsoft Windows Server 2008 Service Pack 1/2 and prior\";\ntag_insight = \"The multiple flaws are due to:\n - Bug in the ATL header that could allow reading a variant from a stream and\n leaving the variant type read with an invalid variant. When deleting the\n variant, it is possible to free unintended areas in memory that could be\n controlled by an attacker.\n - Error in 'CComVariant::ReadFromStream()' function used in the ATL header.\n This function does not properly restrict untrusted data read from a stream.\n - An bug in the ATL headers that could allow an attacker to force VariantClear\n to be called on a VARIANT that has not been correctly initialized.\n - Bugs in the ATL headers that handle instantiation of an object from data\n streams.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/MS09-037\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS09-037.\";\n\nif(description)\n{\n script_id(101100);\n script_version(\"$Revision: 5363 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 14:07:22 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-14 07:53:52 +0200 (Fri, 14 Aug 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2008-0015\", \"CVE-2008-0020\", \"CVE-2009-0901\",\n \"CVE-2009-2493\", \"CVE-2009-2494\");\n script_bugtraq_id(35558, 35585, 35832, 35828, 35982);\n script_name(\"Vulnerabilities in Microsoft ATL Could Allow Remote Code Execution (973908)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/36187\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/973908\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/2232\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/MS09-037\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\n## Variables Initialization\nsysPath = \"\";\nsysVer = \"\";\nSP = \"\";\nmpVer = \"\";\nocxVer = \"\";\nmsVer = \"\";\n\nif(hotfix_check_sp(win2k:5, xp:4, win2003:3, winVista:3, win2008:3) <= 0){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(sysPath)\n{\n # For Windows ATL Component\n sysVer = fetch_file_version(sysPath, file_name:\"system32\\atl.dll\");\n if(sysVer != NULL)\n {\n # Windows 2K\n if(hotfix_check_sp(win2k:5) > 0)\n {\n # Grep for atl.dll version < 3.0.9794.0\n if(version_is_less(version:sysVer, test_version:\"3.0.9794.0\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n # Windows XP\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if((\"Service Pack 2\" >< SP) || (\"Service Pack 3\" >< SP))\n {\n # Grep for atl.dll < 3.5.2284.2\n if(version_is_less(version:sysVer, test_version:\"3.5.2284.2\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n\n # Windows 2003\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for atl.dll version < 3.5.2284.2\n if(version_is_less(version:sysVer, test_version:\"3.5.2284.2\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n\n # Windows Vista and Windows 2008\n if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n {\n # Grep for atl.dll version < 3.5.2284.2\n if(version_is_less(version:sysVer, test_version:\"3.5.2284.2\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n\n # Check Hotfix Missing Media player\n mpVer = fetch_file_version(sysPath, file_name:\"system32\\wmp.dll\");\n if(mpVer != NULL)\n {\n # Windows 2K\n if(hotfix_check_sp(win2k:5) > 0)\n {\n # Grep for wmp.dll version < 9.0.0.3364\n if(version_is_less(version:mpVer, test_version:\"9.0.0.3364\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n # Windows XP\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for wmp.dll 9.0 < 9.0.0.3364, 10.0 < 10.0.0.4074 and 11 < 11.0.5721.5268\n if(version_in_range(version:mpVer, test_version:\"9.0\", test_version2:\"9.0.0.3363\")||\n version_in_range(version:mpVer, test_version:\"10.0\", test_version2:\"10.0.0.4073\")||\n version_in_range(version:mpVer, test_version:\"11.0\", test_version2:\"11.0.5721.5267\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n if(\"Service Pack 3\" >< SP)\n {\n # Grep for wmp.dll < 9.0.0.4507\n if(version_in_range(version:mpVer, test_version:\"9.0\", test_version2:\"9.0.0.4506\")||\n version_in_range(version:mpVer, test_version:\"10.0\", test_version2:\"10.0.0.4073\")||\n version_in_range(version:mpVer, test_version:\"11.0\", test_version2:\"11.0.5721.5267\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n\n # Windows 2003\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for wmp.dll version 10 < 10.0.0.4006\n if(version_in_range(version:mpVer, test_version:\"10.0\", test_version2:\"10.0.0.4005\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n }\n\n # Windows Vista and Windows 2008\n if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n {\n if(version_in_range(version:mpVer, test_version:\"11.0\", test_version2:\"11.0.6000.6351\") ||\n version_in_range(version:mpVer, test_version:\"11.0.6000.6500\", test_version2:\"11.0.6000.6510\"))\n {\n security_message(0);\n exit(0);\n }\n\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for wmp.dll version\n if(version_in_range(version:mpVer, test_version:\"11.0.6001.7000\", test_version2:\"11.0.6001.7006\") ||\n version_in_range(version:mpVer, test_version:\"11.0.6001.7100\", test_version2:\"11.0.6001.7113\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for wmp.dll version\n if(version_in_range(version:mpVer, test_version:\"11.0.6002.18000\", test_version2:\"11.0.6002.18064\") ||\n version_in_range(version:mpVer, test_version:\"11.0.6002.22000\", test_version2:\"11.0.6002.22171\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n\n # For Microsoft MSWebDVD ActiveX Control\n msVer = fetch_file_version(sysPath, file_name:\"system32\\Mswebdvd.dll\");\n if(msVer)\n {\n # Windows XP\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Mswebdvd.dll < 6.5.2600.3610\n if(version_is_less(version:msVer, test_version:\"6.5.2600.3610\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n if(\"Service Pack 3\" >< SP)\n {\n # Grep for Mswebdvd.dll < 6.5.2600.5857\n if(version_is_less(version:msVer, test_version:\"6.5.2600.5857\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n\n # Windows 2003\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n #Grep for Mswebdvd.dll < 6.5.3790.4565\n if(version_is_less(version:msVer, test_version:\"6.5.3790.4565\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n }\n\n # For Microsoft HtmlInput Object ActiveX Control\n webVer = fetch_file_version(sysPath, file_name:\"ehome\\Ehkeyctl.dll\");\n if(webVer)\n {\n # Windows Vista\n if(hotfix_check_sp(winVista:3) > 0)\n {\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for Ehkeyctl.dll version < 6.0.6001.18295\n if(version_in_range(version:webVer, test_version:\"6.0.6001.18000\", test_version2:\"6.0.6001.18294\")||\n version_in_range(version:webVer, test_version:\"6.0.6001.22000\", test_version2:\"6.0.6001.22475\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Ehkeyctl.dll version < 6.0.6002.18072\n if(version_in_range(version:webVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18071\") ||\n version_in_range(version:webVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.22180\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n }\n}\n\n# Microsoft Outlook Express 5.5 Service Pack 2 or 6 Service Pack 1\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\nif(sysPath != NULL)\n{\n dllVer = fetch_file_version(sysPath, file_name:\"Outlook Express\\msoe.dll\");\n\n if(dllVer != NULL)\n {\n # Windows 2K\n if(hotfix_check_sp(win2k:5) > 0)\n {\n # Grep for msoe.ll version < 5.50.5003.1000 and 6.0.2800.1983\n if(version_in_range(version:dllVer, test_version:\"5.5\", test_version2:\"5.50.5003.999\")||\n version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.2800.1982\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n # Windows XP\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for msoe.dll < 6.0.2900.3598\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.2900.3597\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n if(\"Service Pack 3\" >< SP)\n {\n # Grep for msoe.dll < 6.0.2900.5843\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.2900.5842\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n\n # Windows 2003\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for msoe.dll version < 6.0.3790.4548\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.3790.4547\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n }\n}\n\n# For DHTML Editing Component ActiveX Control\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\nif(sysPath != NULL)\n{\n ocxVer = fetch_file_version(sysPath, file_name:\"Common Files\\Microsoft Shared\\Triedit\\Dhtmled.ocx\");\n\n if(ocxVer != NULL)\n {\n # Windows 2K\n if(hotfix_check_sp(win2k:5) > 0)\n {\n # Grep for Dhtmled.ocx version < 6.1.0.9234\n if(version_is_less(version:ocxVer, test_version:\"6.1.0.9234\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n # Windows XP\n if(hotfix_check_sp(xp:4) > 0)\n {\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if((\"Service Pack 2\" >< SP) || (\"Service Pack 3\" >< SP))\n {\n # Grep for Dhtmled.ocx < 6.1.0.9247\n if(version_is_less(version:ocxVer, test_version:\"6.1.0.9247\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n\n # Windows 2003\n if(hotfix_check_sp(win2003:3) > 0)\n {\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Localspl.dll version < 6.1.0.9247\n if(version_is_less(version:ocxVer, test_version:\"6.1.0.9247\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:05:34", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-055.", "cvss3": {}, "published": "2009-10-14T00:00:00", "type": "openvas", "title": "Microsoft Windows ATL COM Initialization Code Execution Vulnerability (973525)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2493"], "modified": "2020-01-07T00:00:00", "id": "OPENVAS:1361412562310900880", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900880", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows ATL COM Initialization Code Execution Vulnerability (973525)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-25\n# - To confirm Vulnerability on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900880\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_cve_id(\"CVE-2009-2493\");\n script_bugtraq_id(35828);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-10-14 18:36:58 +0200 (Wed, 14 Oct 2009)\");\n script_name(\"Microsoft Windows ATL COM Initialization Code Execution Vulnerability (973525)\");\n\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/973525\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/2890\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/advisory/972890\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the remote attackers execute arbitrary code,\n and can compromise a vulnerable system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7\n\n - Microsoft Windows 2K SP4/XP SP3/2K3 SP2 and prior\n\n - Microsoft Windows Vista Service Pack 1/2 and prior\n\n - Microsoft Windows Server 2008 Service Pack 1/2 and prior\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error in the ATL headers that handle\n instantiation of an object from data streams, which could allow attackers to\n instantiate arbitrary objects in Internet Explorer that can bypass certain\n related security policies.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS09-055.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\n\n As a workaround set the killbit for the following CLSIDs:\n\n {0002E531-0000-0000-C000-000000000046}, {4C85388F-1500-11D1-A0DF-00C04FC9E20F},\n {0002E532-0000-0000-C000-000000000046}, {0002E554-0000-0000-C000-000000000046},\n {0002E55C-0000-0000-C000-000000000046}, {279D6C9A-652E-4833-BEFC-312CA8887857},\n {B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331}, {C832BE8F-4B89-4579-A217-DB92E7A27915},\n {A9A7297E-969C-43F1-A1EF-51EBEA36F850}, {DD8C2179-1B4A-4951-B432-5DE3D1507142},\n {4F1E5B1A-2A80-42ca-8532-2D05CB959537}, {27A3D328-D206-4106-8D33-1AA39B13394B},\n {DB640C86-731C-484A-AAAF-750656C9187D}, {15721a53-8448-4731-8bfc-ed11e128e444},\n {3267123E-530D-4E73-9DA7-79F01D86A89F}\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_activex.inc\");\ninclude(\"secpod_reg.inc\");\n\nif(hotfix_check_sp(win2k:5, xp:4, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\n# MS09-055 Hotfix check\nif(hotfix_missing(name:\"973525\") == 0){\n exit(0);\n}\n\nclsids = make_list(\n \"{0002E531-0000-0000-C000-000000000046}\", \"{4C85388F-1500-11D1-A0DF-00C04FC9E20F}\",\n \"{0002E532-0000-0000-C000-000000000046}\", \"{0002E554-0000-0000-C000-000000000046}\",\n \"{0002E55C-0000-0000-C000-000000000046}\", \"{279D6C9A-652E-4833-BEFC-312CA8887857}\",\n \"{B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331}\", \"{C832BE8F-4B89-4579-A217-DB92E7A27915}\",\n \"{A9A7297E-969C-43F1-A1EF-51EBEA36F850}\", \"{DD8C2179-1B4A-4951-B432-5DE3D1507142}\",\n \"{4F1E5B1A-2A80-42ca-8532-2D05CB959537}\", \"{27A3D328-D206-4106-8D33-1AA39B13394B}\",\n \"{DB640C86-731C-484A-AAAF-750656C9187D}\", \"{15721a53-8448-4731-8bfc-ed11e128e444}\",\n \"{3267123E-530D-4E73-9DA7-79F01D86A89F}\");\n\nforeach clsid (clsids)\n{\n if(is_killbit_set(clsid:clsid) == 0)\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-02-09T11:16:05", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-055.", "cvss3": {}, "published": "2009-10-14T00:00:00", "type": "openvas", "title": "Microsoft Windows ATL COM Initialization Code Execution Vulnerability (973525)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2493"], "modified": "2018-02-08T00:00:00", "id": "OPENVAS:900880", "href": "http://plugins.openvas.org/nasl.php?oid=900880", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms09-055.nasl 8724 2018-02-08 15:02:56Z cfischer $\n#\n# Microsoft Windows ATL COM Initialization Code Execution Vulnerability (973525)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-25\n# - To confirm Vulnerability on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link.\n\n http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx\n\n Workaround:\n Set the killbit for the following CLSIDs,\n {0002E531-0000-0000-C000-000000000046}, {4C85388F-1500-11D1-A0DF-00C04FC9E20F}\n {0002E532-0000-0000-C000-000000000046}, {0002E554-0000-0000-C000-000000000046}\n {0002E55C-0000-0000-C000-000000000046}, {279D6C9A-652E-4833-BEFC-312CA8887857}\n {B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331}, {C832BE8F-4B89-4579-A217-DB92E7A27915}\n {A9A7297E-969C-43F1-A1EF-51EBEA36F850}, {DD8C2179-1B4A-4951-B432-5DE3D1507142}\n {4F1E5B1A-2A80-42ca-8532-2D05CB959537}, {27A3D328-D206-4106-8D33-1AA39B13394B}\n {DB640C86-731C-484A-AAAF-750656C9187D}, {15721a53-8448-4731-8bfc-ed11e128e444}\n {3267123E-530D-4E73-9DA7-79F01D86A89F}\n http://www.microsoft.com/technet/security/advisory/972890.mspx\";\n\ntag_impact = \"Successful exploitation will let the remote attackers execute arbitrary code,\n and can compromise a vulnerable system.\n\n Impact Level: System.\";\ntag_affected = \"Microsoft Windows 7\n\n Microsoft Windows 2K SP4/XP SP3/2K3 SP2 and prior\n\n Microsoft Windows Vista Service Pack 1/2 and prior\n\n Microsoft Windows Server 2008 Service Pack 1/2 and prior\";\ntag_insight = \"The flaw is due to ane errors in the ATL headers that handle\n instantiation of an object from data streams, which could allow attackers to\n instantiate arbitrary objects in Internet Explorer that can bypass certain\n related security policies.\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS09-055.\";\n\nif(description)\n{\n script_id(900880);\n script_version(\"$Revision: 8724 $\");\n script_cve_id(\"CVE-2009-2493\");\n script_bugtraq_id(35828);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-08 16:02:56 +0100 (Thu, 08 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-14 18:36:58 +0200 (Wed, 14 Oct 2009)\");\n script_name(\"Microsoft Windows ATL COM Initialization Code Execution Vulnerability (973525)\");\n\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/973525\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/2890\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/MS09-055.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_activex.inc\");\ninclude(\"secpod_reg.inc\");\n\nif(hotfix_check_sp(win2k:5, xp:4, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\n# MS09-055 Hotfix check\nif(hotfix_missing(name:\"973525\") == 0){\n exit(0);\n}\n\n# Check if Kill-Bit is set for ActiveX control\nclsids = make_list(\n \"{0002E531-0000-0000-C000-000000000046}\", \"{4C85388F-1500-11D1-A0DF-00C04FC9E20F}\",\n \"{0002E532-0000-0000-C000-000000000046}\", \"{0002E554-0000-0000-C000-000000000046}\",\n \"{0002E55C-0000-0000-C000-000000000046}\", \"{279D6C9A-652E-4833-BEFC-312CA8887857}\",\n \"{B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331}\", \"{C832BE8F-4B89-4579-A217-DB92E7A27915}\",\n \"{A9A7297E-969C-43F1-A1EF-51EBEA36F850}\", \"{DD8C2179-1B4A-4951-B432-5DE3D1507142}\",\n \"{4F1E5B1A-2A80-42ca-8532-2D05CB959537}\", \"{27A3D328-D206-4106-8D33-1AA39B13394B}\",\n \"{DB640C86-731C-484A-AAAF-750656C9187D}\", \"{15721a53-8448-4731-8bfc-ed11e128e444}\",\n \"{3267123E-530D-4E73-9DA7-79F01D86A89F}\");\n\nforeach clsid (clsids)\n{\n ## Check if Kill-Bit is set for ActiveX control\n if(is_killbit_set(clsid:clsid) == 0)\n {\n security_message(0);\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-10T20:03:13", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-072.", "cvss3": {}, "published": "2009-12-04T00:00:00", "type": "openvas", "title": "MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-3673", "CVE-2009-3674", "CVE-2009-2493", "CVE-2009-3671", "CVE-2009-3672"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562310800727", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800727", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Description: MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Updated By\n# Antu Sanadi <santu@secpod.com> on 2009-12-09\n# Included the Microsoft Bulletin MS09-072 #6097\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-23\n# - To detect file version 'mshtml.dll' on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800727\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-12-04 14:17:59 +0100 (Fri, 04 Dec 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-2493\", \"CVE-2009-3671\", \"CVE-2009-3672\",\n \"CVE-2009-3673\", \"CVE-2009-3674\");\n script_bugtraq_id(37085);\n script_name(\"MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/3437\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the attacker execute arbitrary code via\n specially crafted HTML page in the context of the affected system and cause\n memory corruption thus causing remote machine compromise.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 5.x/6.x/7.x/8.x.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - The 'tdc.ocx' ActiveX control being built with vulnerable Active Template\n Library (ATL) headers, which could allow the instantiation of arbitrary objects\n that can bypass certain security related policies.\n\n - Memory corruption error occurs when the browser attempts to access an object\n that has not been initialized or has been deleted, which could be exploited\n to execute arbitrary code via a specially crafted web page.\n\n - Memory corruption occurs when processing 'CSS' objects.\n\n - Race condition occurs while repetitively clicking between two elements at\n a fast rate, which could be exploited to execute arbitrary code via a\n specially crafted web page.\n\n - A dangling pointer during deallocation of a circular dereference for a\n CAttrArray object, which could be exploited to execute arbitrary code via\n a specially crafted web page.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS09-072.\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer){\n exit(0);\n}\n\nif(hotfix_missing(name:\"976325\") == 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n vers = fetch_file_version(sysPath:sysPath, file_name:\"mshtml.dll\");\n if(!vers){\n exit(0);\n }\n}\n\nif(hotfix_check_sp(win2k:5) > 0)\n{\n if(version_in_range(version:vers, test_version:\"5.0\", test_version2:\"5.0.3882.2699\") ||\n version_in_range(version:vers, test_version:\"6.0\", test_version2:\"6.0.2800.1641\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:vers, test_version:\"6.0.2900.0000\", test_version2:\"6.0.2900.3639\")||\n version_in_range(version:vers, test_version:\"7.0\", test_version2:\"7.0.6000.21128\")||\n version_in_range(version:vers, test_version:\"8.0\", test_version2:\"8.0.6001.18853\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n if( version_in_range(version:vers, test_version:\"6.0.2900.0000\", test_version2:\"6.0.2900.5896\")||\n version_in_range(version:vers, test_version:\"7.0\", test_version2:\"7.0.6000.16944\") ||\n version_in_range(version:vers, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21147\") ||\n version_in_range(version:vers, test_version:\"8.0\", test_version2:\"8.0.6001.18853\")||\n version_in_range(version:vers, test_version:\"8.0.6001.22000\", test_version2:\"8.0.6001.22944\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:vers, test_version:\"6.0\", test_version2:\"6.0.3790.4610\") ||\n version_in_range(version:vers, test_version:\"7.0\", test_version2:\"7.0.6000.16944\") ||\n version_in_range(version:vers, test_version:\"7.0.6000.20000\", test_version2:\"7.00.6000.21147\")||\n version_in_range(version:vers, test_version:\"8.0.6001.00000\", test_version2:\"8.0.6001.18853\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath){\n exit(0);\n}\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6001.18348\") ||\n version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.6001.18864\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6002.18129\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6001.18348\") ||\n version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.6001.18864\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6002.18129\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.7600.16465\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-20T08:55:33", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-072.", "cvss3": {}, "published": "2009-12-04T00:00:00", "type": "openvas", "title": "MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-3673", "CVE-2009-3674", "CVE-2009-2493", "CVE-2009-3671", "CVE-2009-3672"], "modified": "2017-07-05T00:00:00", "id": "OPENVAS:800727", "href": "http://plugins.openvas.org/nasl.php?oid=800727", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_ie_style_object_remote_code_exec_vuln.nasl 6527 2017-07-05 05:56:34Z cfischer $\n#\n# Description: MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Updated By\n# Antu Sanadi <santu@secpod.com> on 2009-12-09\n# Included the Microsoft Bulletin MS09-072 #6097\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-23\n# - To detect file version 'mshtml.dll' on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(800727);\n script_version(\"$Revision: 6527 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 07:56:34 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-04 14:17:59 +0100 (Fri, 04 Dec 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-2493\", \"CVE-2009-3671\", \"CVE-2009-3672\",\n \"CVE-2009-3673\", \"CVE-2009-3674\");\n script_bugtraq_id(37085);\n script_name(\"MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/3437\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/Bulletin/MS09-072.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : \"Successful exploitation will let the attacker execute arbitrary code via\n specially crafted HTML page in the context of the affected system and cause\n memory corruption thus causing remote machine compromise.\n Impact Level: System\");\n script_tag(name : \"affected\" , value : \"Microsoft Internet Explorer version 5.x/6.x/7.x/8.x\");\n script_tag(name : \"insight\" , value : \"Multiple flaws are due to:\n - The 'tdc.ocx' ActiveX control being built with vulnerable Active Template\n Library (ATL) headers, which could allow the instantiation of arbitrary objects\n that can bypass certain security related policies.\n - Memory corruption error occurs when the browser attempts to access an object\n that has not been initialized or has been deleted, which could be exploited\n to execute arbitrary code via a specially crafted web page.\n - Memory corruption occurs when processing 'CSS' objects.\n - Race condition occurs while repetitively clicking between two elements at\n a fast rate, which could be exploited to execute arbitrary code via a\n specially crafted web page.\n - A dangling pointer during deallocation of a circular dereference for a\n CAttrArray object, which could be exploited to execute arbitrary code via\n a specially crafted web page.\");\n script_tag(name : \"solution\" , value : \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/Bulletin/MS09-072.mspx\");\n script_tag(name : \"summary\" , value : \"This host is missing a critical security update according to\n Microsoft Bulletin MS09-072.\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer){\n exit(0);\n}\n\n# Check for MS09-072 Hotfix (976325)\nif(hotfix_missing(name:\"976325\") == 0){\n exit(0);\n}\n\n## Get System32 path\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n vers = fetch_file_version(sysPath, file_name:\"mshtml.dll\");\n if(!vers){\n exit(0);\n }\n}\n\nif(hotfix_check_sp(win2k:5) > 0)\n{\n if(version_in_range(version:vers, test_version:\"5.0\", test_version2:\"5.0.3882.2699\") ||\n version_in_range(version:vers, test_version:\"6.0\", test_version2:\"6.0.2800.1641\")){\n security_message(0);\n }\n}\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:vers, test_version:\"6.0.2900.0000\", test_version2:\"6.0.2900.3639\")||\n version_in_range(version:vers, test_version:\"7.0\", test_version2:\"7.0.6000.21128\")||\n version_in_range(version:vers, test_version:\"8.0\", test_version2:\"8.0.6001.18853\")){\n security_message(0);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n if( version_in_range(version:vers, test_version:\"6.0.2900.0000\", test_version2:\"6.0.2900.5896\")||\n version_in_range(version:vers, test_version:\"7.0\", test_version2:\"7.0.6000.16944\") ||\n version_in_range(version:vers, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21147\") ||\n version_in_range(version:vers, test_version:\"8.0\", test_version2:\"8.0.6001.18853\")||\n version_in_range(version:vers, test_version:\"8.0.6001.22000\", test_version2:\"8.0.6001.22944\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:vers, test_version:\"6.0\", test_version2:\"6.0.3790.4610\") ||\n version_in_range(version:vers, test_version:\"7.0\", test_version2:\"7.0.6000.16944\") ||\n version_in_range(version:vers, test_version:\"7.0.6000.20000\", test_version2:\"7.00.6000.21147\")||\n version_in_range(version:vers, test_version:\"8.0.6001.00000\", test_version2:\"8.0.6001.18853\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Get System Path\nsysPath = smb_get_system32root();\nif(!sysPath){\n exit(0);\n}\ndllVer = fetch_file_version(sysPath, file_name:\"mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\n# Windows Vista\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for mshtml.dll version \n if(version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6001.18348\") ||\n version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.6001.18864\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6002.18129\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows Server 2008\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6001.18348\") ||\n version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.6001.18864\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6002.18129\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 7\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n # Grep for mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.7600.16465\")){\n security_message(0);\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-25T10:54:42", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "cvss3": {}, "published": "2010-03-16T00:00:00", "type": "openvas", "title": "FreeBSD Ports: openoffice.org", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-3302", "CVE-2009-3301", "CVE-2009-0217", "CVE-2009-2949", "CVE-2009-2493", "CVE-2006-4339", "CVE-2009-2950"], "modified": "2018-01-24T00:00:00", "id": "OPENVAS:136141256231067053", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067053", "sourceData": "#\n#VID c97d7a37-2233-11df-96dd-001b2134ef46\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID c97d7a37-2233-11df-96dd-001b2134ef46\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: openoffice.org\n\nFor details on the issues addressed in this update, please visit the\nreferenced security advisories.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.openoffice.org/security/bulletin.html\nhttp://www.openoffice.org/security/cves/CVE-2006-4339.html\nhttp://www.openoffice.org/security/cves/CVE-2009-0217.html\nhttp://www.openoffice.org/security/cves/CVE-2009-2493.html\nhttp://www.openoffice.org/security/cves/CVE-2009-2949.html\nhttp://www.openoffice.org/security/cves/CVE-2009-2950.html\nhttp://www.openoffice.org/security/cves/CVE-2009-3301-3302.html\nhttp://www.vuxml.org/freebsd/c97d7a37-2233-11df-96dd-001b2134ef46.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.67053\");\n script_version(\"$Revision: 8510 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 08:57:42 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-16 17:25:39 +0100 (Tue, 16 Mar 2010)\");\n script_cve_id(\"CVE-2006-4339\", \"CVE-2009-0217\", \"CVE-2009-2493\", \"CVE-2009-2949\", \"CVE-2009-2950\", \"CVE-2009-3301\", \"CVE-2009-3302\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: openoffice.org\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"openoffice.org\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.2.0\")<0) {\n txt += 'Package openoffice.org version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"3.2.20010101\")>=0 && revcomp(a:bver, b:\"3.2.20100203\")<0) {\n txt += 'Package openoffice.org version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"3.3.20010101\")>=0 && revcomp(a:bver, b:\"3.3.20100207\")<0) {\n txt += 'Package openoffice.org version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:09:48", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "cvss3": {}, "published": "2010-03-16T00:00:00", "type": "openvas", "title": "FreeBSD Ports: openoffice.org", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-3302", "CVE-2009-3301", "CVE-2009-0217", "CVE-2009-2949", "CVE-2009-2493", "CVE-2006-4339", "CVE-2009-2950"], "modified": "2017-02-10T00:00:00", "id": "OPENVAS:67053", "href": "http://plugins.openvas.org/nasl.php?oid=67053", "sourceData": "#\n#VID c97d7a37-2233-11df-96dd-001b2134ef46\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID c97d7a37-2233-11df-96dd-001b2134ef46\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: openoffice.org\n\nFor details on the issues addressed in this update, please visit the\nreferenced security advisories.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.openoffice.org/security/bulletin.html\nhttp://www.openoffice.org/security/cves/CVE-2006-4339.html\nhttp://www.openoffice.org/security/cves/CVE-2009-0217.html\nhttp://www.openoffice.org/security/cves/CVE-2009-2493.html\nhttp://www.openoffice.org/security/cves/CVE-2009-2949.html\nhttp://www.openoffice.org/security/cves/CVE-2009-2950.html\nhttp://www.openoffice.org/security/cves/CVE-2009-3301-3302.html\nhttp://www.vuxml.org/freebsd/c97d7a37-2233-11df-96dd-001b2134ef46.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(67053);\n script_version(\"$Revision: 5263 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-10 14:45:51 +0100 (Fri, 10 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-16 17:25:39 +0100 (Tue, 16 Mar 2010)\");\n script_cve_id(\"CVE-2006-4339\", \"CVE-2009-0217\", \"CVE-2009-2493\", \"CVE-2009-2949\", \"CVE-2009-2950\", \"CVE-2009-3301\", \"CVE-2009-3302\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: openoffice.org\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"openoffice.org\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.2.0\")<0) {\n txt += 'Package openoffice.org version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"3.2.20010101\")>=0 && revcomp(a:bver, b:\"3.2.20100203\")<0) {\n txt += 'Package openoffice.org version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"3.3.20010101\")>=0 && revcomp(a:bver, b:\"3.3.20100207\")<0) {\n txt += 'Package openoffice.org version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:37:42", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n java-1_6_0-ibm\n java-1_6_0-ibm-alsa\n java-1_6_0-ibm-fonts\n java-1_6_0-ibm-jdbc\n java-1_6_0-ibm-plugin\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/", "cvss3": {}, "published": "2009-11-11T00:00:00", "type": "openvas", "title": "SLES11: Security update for IBM Java 1.6.0", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2670", "CVE-2009-0217", "CVE-2009-2493", "CVE-2009-2625", "CVE-2009-2673", "CVE-2009-2674", "CVE-2009-2671", "CVE-2009-2672", "CVE-2009-2676", "CVE-2009-2675"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231066230", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066230", "sourceData": "#\n#VID 27428b62b5ccd6ac2929bae4bea6f2dd\n# OpenVAS Vulnerability Test\n# $\n# Description: Security update for IBM Java 1.6.0\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n java-1_6_0-ibm\n java-1_6_0-ibm-alsa\n java-1_6_0-ibm-fonts\n java-1_6_0-ibm-jdbc\n java-1_6_0-ibm-plugin\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://bugzilla.novell.com/show_bug.cgi?id=548655\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.66230\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-2676\", \"CVE-2009-2493\", \"CVE-2009-2670\", \"CVE-2009-0217\", \"CVE-2009-2671\", \"CVE-2009-2672\", \"CVE-2009-2673\", \"CVE-2009-2674\", \"CVE-2009-2675\", \"CVE-2009-2625\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES11: Security update for IBM Java 1.6.0\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm\", rpm:\"java-1_6_0-ibm~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm-alsa\", rpm:\"java-1_6_0-ibm-alsa~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm-fonts\", rpm:\"java-1_6_0-ibm-fonts~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm-jdbc\", rpm:\"java-1_6_0-ibm-jdbc~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm-plugin\", rpm:\"java-1_6_0-ibm-plugin~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T08:55:21", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n java-1_6_0-ibm\n java-1_6_0-ibm-alsa\n java-1_6_0-ibm-fonts\n java-1_6_0-ibm-jdbc\n java-1_6_0-ibm-plugin\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/", "cvss3": {}, "published": "2009-11-11T00:00:00", "type": "openvas", "title": "SLES11: Security update for IBM Java 1.6.0", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2670", "CVE-2009-0217", "CVE-2009-2493", "CVE-2009-2625", "CVE-2009-2673", "CVE-2009-2674", "CVE-2009-2671", "CVE-2009-2672", "CVE-2009-2676", "CVE-2009-2675"], "modified": "2017-07-11T00:00:00", "id": "OPENVAS:66230", "href": "http://plugins.openvas.org/nasl.php?oid=66230", "sourceData": "#\n#VID 27428b62b5ccd6ac2929bae4bea6f2dd\n# OpenVAS Vulnerability Test\n# $\n# Description: Security update for IBM Java 1.6.0\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n java-1_6_0-ibm\n java-1_6_0-ibm-alsa\n java-1_6_0-ibm-fonts\n java-1_6_0-ibm-jdbc\n java-1_6_0-ibm-plugin\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://bugzilla.novell.com/show_bug.cgi?id=548655\");\n script_id(66230);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-2676\", \"CVE-2009-2493\", \"CVE-2009-2670\", \"CVE-2009-0217\", \"CVE-2009-2671\", \"CVE-2009-2672\", \"CVE-2009-2673\", \"CVE-2009-2674\", \"CVE-2009-2675\", \"CVE-2009-2625\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES11: Security update for IBM Java 1.6.0\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm\", rpm:\"java-1_6_0-ibm~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm-alsa\", rpm:\"java-1_6_0-ibm-alsa~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm-fonts\", rpm:\"java-1_6_0-ibm-fonts~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm-jdbc\", rpm:\"java-1_6_0-ibm-jdbc~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"java-1_6_0-ibm-plugin\", rpm:\"java-1_6_0-ibm-plugin~1.6.0_sr6~1.1.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2021-09-28T17:51:08", "description": "### Overview\n\nActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nMicrosoft Active Template Library ([ATL](<http://msdn.microsoft.com/en-us/library/t9adwcde\\(VS.80\\).aspx>)) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as \"[safe for scripting](<http://msdn.microsoft.com/en-us/library/aa751977\\(VS.85\\).aspx#ov_script>),\" which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as \"[safe for initialization](<http://msdn.microsoft.com/en-us/library/aa751977\\(VS.85\\).aspx#ov_init>),\" which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of [`OleLoadFromStream`](<http://msdn.microsoft.com/en-us/library/ms680103\\(VS.85\\).aspx>), and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer [kill bit](<http://support.microsoft.com/kb/240797>) restrictions on unsafe controls. \n \n--- \n \n### Impact\n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution\n\n**Apply an update**\n\nThis vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin [MS09-034](<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx>). This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer. \n \n**Update and recompile ActiveX controls** \n \nDevelopers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin [MS09-035](<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>) and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities. \n \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>)\" document. \n \n--- \n \n### Vendor Information\n\n456745\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Adobe __ Affected\n\nUpdated: July 30, 2009 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Vendor References\n\n * <http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html>\n * <http://www.adobe.com/support/security/bulletins/apsb09-10.html>\n\n### Addendum\n\nPlease see the Adobe PSIRT blog entry: [Impact of Microsoft ATL vulnerability on Adobe Products](<http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html>). Adobe has relased [APSB09-11](<http://www.adobe.com/support/security/bulletins/apsb09-11.html>) for Shockwave Player and [APSB09-10](<http://www.adobe.com/support/security/bulletins/apsb09-10.html>) for Flash Player.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23456745 Feedback>).\n\n### Aurigma Inc. Affected\n\nNotified: July 28, 2009 Updated: July 29, 2009 \n\n**Statement Date: July 29, 2009**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Cisco Systems, Inc. __ Affected\n\nNotified: July 28, 2009 Updated: July 29, 2009 \n\n**Statement Date: July 29, 2009**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nCisco Systems has published [Cisco Security Advisory cisco-sa-20090728-activex](<http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml>) in response to this issue. Users of the affected product(s) should review this advisory and apply the mitigations it describes.\n\n### F5 Networks, Inc. __ Affected\n\nNotified: July 28, 2009 Updated: July 29, 2009 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nFirePass Controls for 5.5,5.5.1,5.5.2, 6.02, and 6.03; SAM 8.0 Controls are affected.\n\n### Microsoft Corporation __ Affected\n\nUpdated: July 28, 2009 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>\n\n### Addendum\n\n**Apply an update**\n\nThis vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin [MS09-034](<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx>). This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer. \n \n**Update and recompile ActiveX controls** \n \nDevelopers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin [MS09-035](<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>) and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23456745 Feedback>).\n\n### OSISoft __ Affected\n\nUpdated: August 04, 2009 \n\n**Statement Date: August 03, 2009**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Vendor References\n\n * <http://techsupport.osisoft.com/Bulletins/4/7b5d4995-a2ae-4c14-b375-f4ad059d3d2c.htm>\n\n### Addendum\n\nPlease see the OSISoft [Security Alert](<http://techsupport.osisoft.com/Bulletins/4/7b5d4995-a2ae-4c14-b375-f4ad059d3d2c.htm>) for more details.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23456745 Feedback>).\n\n### SoftArtisans, Inc __ Affected\n\nNotified: July 28, 2009 Updated: February 24, 2010 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nPlease see [SoftArtisans support document 1331](<http://support.softartisans.com/kbview.aspx?ID=1331>).\n\n### Vendor References\n\n * <http://support.softartisans.com/kbview.aspx?ID=1331>\n\n### SonicWall __ Affected\n\nNotified: July 28, 2009 Updated: October 28, 2009 \n\n**Statement Date: July 30, 2009**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe XTSAC.cab file, which is used in the SSL-VPN 200, 2000 and 4000 products for IE browser-based RDP connections is affected by the issue.\n\nSonicWALL has addressed VU#456745 for the following products at the specified firmware version: \n \nSSL-VPN 200: 3.5.0.2-7sv (posted 9/16/2009) \nSSL-VPN 2000/4000: 3.5.0.11-29sv (posted 9/16/2009)\n\n### Sun Microsystems, Inc. __ Affected\n\nUpdated: August 05, 2009 \n\n**Statement Date: August 05, 2009**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Vendor References\n\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1>\n\n### Addendum\n\nPlease see [Sun Alert 264648](<http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1>) for more details.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23456745 Feedback>).\n\n### Apple Inc. __ Not Affected\n\nNotified: July 28, 2009 Updated: July 31, 2009 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nNo Apple products are affected by the ATL issue.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation Not Affected\n\nNotified: July 28, 2009 Updated: July 29, 2009 \n\n**Statement Date: July 28, 2009**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### LogicNP __ Not Affected\n\nNotified: July 28, 2009 Updated: July 30, 2009 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThis issue does not affect us since our ActiveX controls are based on MFC and do not use ATL templates.\n\n### VanDyke Software __ Not Affected\n\nNotified: July 28, 2009 Updated: August 04, 2009 \n\n**Statement Date: July 31, 2009**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nOur development team has confirmed that VU#456745 does *not* affect any of our products.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Alcatel-Lucent Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### America Online, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Attachmate Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Axis Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### BT Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Business Objects Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Callisto Corporation Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Computer Associates eTrust Security Management Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Computer Emergency Response Team Brazil Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Corel Corporation Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### E-Book Systems Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### ESET, LLC. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Electronic Arts Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### GOVCERT-NL Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### GameTap-Turner Broadcasting subsidiary Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Gracenote Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Hewlett-Packard Company Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Husdawg Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Iconics, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### IncrediMail Ltd. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Infotriever, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### InterActual Technologies, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Intuit, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Juniper Networks, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Kodak Easy Share Gallery Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Lenovo Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### LizardTech, Inc Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Lotus Software Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Media Technology Group Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Motive Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Move Networks, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Namzak Labs Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Nokia Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Novell, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Oracle Corporation Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### PNI Digital Media Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Panda Software Ltd. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Radiant Systems Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### RealNetworks, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Research in Motion (RIM) Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SAP Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SafeNet Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### ScriptLogic Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Siemens Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Simba Technologies Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SupportSoft, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SwiftView Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Symantec Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Trend Micro Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Unigraphics Solutions Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### View22 Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### WeOnlyDo! Software Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### WinZip Computing, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Worldspan Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Xerox Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Yahoo, Inc. Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### eBay Unknown\n\nNotified: July 28, 2009 Updated: July 28, 2009 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\nView all 70 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- \nTemporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) \nEnvironmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) \n \n \n\n\n### References\n\n * <http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>\n * <http://www.microsoft.com/security/atl.aspx>\n * <http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx>\n * <http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx>\n * <http://blogs.technet.com/ecostrat/archive/2009/07/27/threat-complexity-requires-new-levels-of-collaboration.aspx>\n * <http://www.microsoft.com/technet/security/advisory/973882.mspx>\n * <http://msdn.microsoft.com/en-us/library/ms680103(VS.85).aspx>\n * <http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx>\n * <http://msdn.microsoft.com/en-us/library/t9adwcde(VS.80).aspx>\n * <http://support.microsoft.com/kb/168371>\n * <http://support.microsoft.com/kb/240797>\n * <http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html>\n * <http://www.adobe.com/support/security/advisories/apsa09-04.html>\n * <http://www.adobe.com/support/security/bulletins/apsb09-10.html>\n * <http://www.adobe.com/support/security/bulletins/apsb09-11.html>\n * <http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html>\n * <http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx>\n * <http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx>\n * <http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx>\n * <http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx>\n * <http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx>\n * <http://support.softartisans.com/kbview.aspx?ID=1331>\n\n### Acknowledgements\n\nThanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2009-0901](<http://web.nvd.nist.gov/vuln/detail/CVE-2009-0901>), [CVE-2009-2493](<http://web.nvd.nist.gov/vuln/detail/CVE-2009-2493>), [CVE-2009-2495](<http://web.nvd.nist.gov/vuln/detail/CVE-2009-2495>) \n---|--- \n**Severity Metric:** | 47.08 \n**Date Public:** | 2009-07-09 \n**Date First Published:** | 2009-07-28 \n**Date Last Updated: ** | 2010-02-24 15:28 UTC \n**Document Revision: ** | 44 \n", "cvss3": {}, "published": "2009-07-28T00:00:00", "type": "cert", "title": "ActiveX controls built with Microsoft ATL fail to properly handle initialization data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0901", "CVE-2009-2493", "CVE-2009-2495"], "modified": "2010-02-24T15:28:00", "id": "VU:456745", "href": "https://www.kb.cert.org/vuls/id/456745", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "description": "Microsoft Security Bulletin MS09-060 - Critical\r\nVulnerabilities in Microsoft Active Template Library &#40;ATL&#41; ActiveX Controls for Microsoft Office Could Allow Remote Code Execution &#40;973965&#41;\r\nPublished: October 13, 2009\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves several privately reported vulnerabilities in ActiveX Controls for Microsoft that were compiled with a vulnerable version of Microsoft Active Template Library &#40;ATL&#41;. The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nThis security update is rated Critical for all supported editions of Microsoft Outlook 2002, Microsoft Office Outlook 2003, Microsoft Office Outlook 2007, Microsoft Visio 2002 Viewer, Microsoft Office Visio 2003 Viewer, and Microsoft Office Visio Viewer 2007. For more information on the software affected by this update, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by correcting the manner in which ATL handles the instantiation of objects from data streams, providing updated versions of the affected components and controls built using corrected ATL headers. For more information about the vulnerability, see the Frequently Asked Questions &#40;FAQ&#41; subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update immediately.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 973965 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOffice Suite and Other Software\tComponent\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nMicrosoft Office XP Service Pack 3\r\n\t\r\n\r\nMicrosoft Outlook 2002 Service Pack 3\r\n&#40;KB973702&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS08-015\r\n\r\nMicrosoft Office 2003 Service Pack 3\r\n\t\r\n\r\nMicrosoft Office Outlook 2003 Service Pack 3\r\n&#40;KB973705&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS08-015\r\n\r\n2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2\r\n\t\r\n\r\nMicrosoft Office Outlook 2007 Service Pack 1 and Microsoft Office Outlook 2007 Service Pack 2\r\n&#40;KB972363&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\nOther Office Software\t \t \t \t \r\n\r\nMicrosoft Visio 2002 Viewer*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Office Visio 2003 Viewer*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Office Visio Viewer 2007, Microsoft Office Visio Viewer 2007 Service Pack 1, and Microsoft Office Visio Viewer 2007 Service Pack 2\r\n&#40;KB973709&#41;\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\n*Microsoft recommends that users of Microsoft Visio Viewer 2002 and Microsoft Visio Viewer 2003 upgrade to Microsoft Office Visio Viewer 2007 Service Pack 2.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nWhere are the updates for Visio Viewer 2002 and Visio Viewer 2003?\r\nMicrosoft recommends that all users of Microsoft Visio Viewer 2002 and Microsoft Visio Viewer 2003 upgrade to the latest version of Microsoft Visio Viewer 2007 to address this vulnerability. Users who are unable to upgrade should apply the update from MS09-034. The MS09-034 Internet Explorer update mitigates the attack vector for affected Visio Viewer platforms. Users may also apply the kill bit for the affected control using the procedures listed in the workaround sections of this bulletin. A kill bit for these controls will be included in a future cumulative security update for Internet Explorer.\r\n\r\nHow does this bulletin relate to the vulnerabilities described in Microsoft Security Advisory &#40;973882&#41;?\r\nThis bulletin addresses vulnerabilities in the public version of the Active Template Library &#40;ATL&#41;. Vulnerabilities in the private version of ATL are described in Microsoft Security Advisory &#40;973882&#41;.\r\n\r\nIs this security update related to MS09-034? \r\nYes. Microsoft Security Bulletin MS09-034, &quot;Cumulative Security Update for Internet Explorer,&quot; includes a mitigation that helps prevent components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8, that monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX&#39;s kill bit security feature. These protections are designed to help protect customers from Web-based attacks.\r\n\r\nIf I have installed the MS09-034 update, do I still need to install this update? \r\nYes. This security bulletin update addresses vulnerabilities in Office components. By installing this update, users ensure that all known issues caused by vulnerable ATL headers and libraries are corrected for core Office components.\r\n\r\nIf I have installed the MS09-034 update, do I still need to install additional components and controlsissued by Microsoft or third parties that address the vulnerabilities described in Microsoft Security Advisory 973882 and Microsoft Security Bulletin MS09-035? \r\nYes, you need to install updated controls from third parties when released. The MS09-034 Internet Explorer mitigation does not address the underlying vulnerabilities within certain components and controls developed with the Active Template Library.\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhat is ATL?\r\nThe Active Template Library &#40;ATL&#41; is a set of template-based C++ classes that let you create small, fast Component Object Model &#40;COM&#41; objects. It has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls. For more information, see the following MSDN article.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.\r\n\r\nCustomers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin&#39;s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the October bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tATL Uninitialized Object Vulnerability - CVE-2009-0901\tATL COM Initialization Vulnerability - CVE-2009-2493\tATL Null String Vulnerability - CVE-2009-2495\tAggregate Severity Rating\r\n\r\nMicrosoft Outlook 2002 Service Pack 3\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation Disclosure\r\n\t\r\n\r\nCritical\r\n\r\nMicrosoft Office Outlook 2003 Service Pack 3\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation Disclosure\r\n\t\r\n\r\nCritical\r\n\r\nMicrosoft Office Outlook 2007 Service Pack 1 and Microsoft Office Outlook 2007 Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation Disclosure\r\n\t\r\n\r\nCritical\r\nOther Office Software\t \t \t \t \r\n\r\nMicrosoft Visio 2002 Viewer\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation Disclosure\r\n\t\r\n\r\nCritical\r\n\r\nMicrosoft Office Visio 2003 Viewer\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation Disclosure\r\n\t\r\n\r\nCritical\r\n\r\nMicrosoft Office Visio Viewer 2007, Microsoft Office Visio Viewer 2007 Service Pack 1, and Microsoft Office Visio Viewer 2007 Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation Disclosure\r\n\t\r\n\r\nCritical\r\nTop of sectionTop of section\r\n\t\r\nATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to an issue in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. Because of this, the attacker can control what happens when VariantClear is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0901.\r\n\t\r\nMitigating Factors for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDo not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nWhat is the scope of the vulnerability? \r\nThis vulnerability only directly affects systems with vulnerable components and controls installed that were built using affected versions of Microsoft&#39;s ATL.\r\n\r\nThis is a remote code execution vulnerability. For example, the vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer that instantiates a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is due to an issue in the ATL headers that could allow an attacker to call VariantClear&#40;&#41; on a variant that has not been correctly initialized. For developers who created a component or control using ATL in this manner, the resulting component or control could allow remote code execution in the context of the logged on user.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the issue by ensuring VariantClear&#40;&#41; can only be called on initialized variants, and provides updated versions of ATL that allow developers to address this issue in potentially vulnerable controls.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to issues in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2493.\r\n\t\r\nMitigating Factors for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDo not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nWhat is the scope of the vulnerability? \r\nThis vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL.\r\n\r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is due to issues in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass certain related security policies.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system, and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then if the user is logged on with administrative user rights an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the manner in which ATL handles the instantiation of objects from data streams and providing updated versions of ATL that allow developers to address this issue in potentially vulnerable controls.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nATL Null String Vulnerability - CVE-2009-2495\r\n\r\nAn information disclosure vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. An attacker who successfully exploited this vulnerability could run a malicious component or control that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2495.\r\n\t\r\nMitigating Factors for ATL Null String Vulnerability - CVE-2009-2495\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL Null String Vulnerability - CVE-2009-2495\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDo not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL Null String Vulnerability - CVE-2009-2495\r\n\r\nWhat is the scope of the vulnerability? \r\nThis vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL.\r\n\r\nThis is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could run a malicious component or control that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability results from an issue in the ATL headers that could allow a string to be read with no ending NULL bytes. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could access any data available to the logged on user.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nIf a user has a vulnerable control on their system, and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, an attacker could read information in memory on the affected system\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by enforcing proper buffer allocation when reading a stream and providing updated versions of ATL that allow developers to address this issue in potentially vulnerable controls.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nDavid Dewey of IBM ISS X-Force for reporting the ATL Uninitialized Object Vulnerability &#40;CVE-2009-0901&#41;\r\n\u2022\t\r\n\r\nRyan Smith of VeriSign iDefense Labs for reporting the ATL COM Initialization Vulnerability &#40;CVE-2009-2493&#41;\r\n\u2022\t\r\n\r\nRyan Smith of VeriSign iDefense Labs for reporting the ATL Null String Vulnerability &#40;CVE-2009-2495&#41;\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program &#40;MAPP&#41;\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program &#40;MAPP&#41; Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 &#40;October 13, 2009&#41;: Bulletin published.", "edition": 1, "cvss3": {}, "published": "2009-10-13T00:00:00", "title": "Microsoft Security Bulletin MS09-055 - Critical Cumulative Security Update of ActiveX Kill Bits &#40;973525&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "modified": "2009-10-13T00:00:00", "id": "SECURITYVULNS:DOC:22613", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22613", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:33", "description": "Memory corruptions, information leak, initialization problem, leading to killbit protection bypass.", "edition": 1, "cvss3": {}, "published": "2009-10-13T00:00:00", "title": "Microsoft Active Template Library &#40;ATL&#41; multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "modified": "2009-10-13T00:00:00", "id": "SECURITYVULNS:VULN:10106", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10106", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:31", "description": "Microsoft Security Bulletin MS09-035 - Moderate\r\nVulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution &#40;969706&#41;\r\nPublished: July 28, 2009\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update addresses several privately reported vulnerabilities in the public versions of the Microsoft Active Template Library &#40;ATL&#41; included with Visual Studio. This security update is specifically intended for developers of components and controls. Developers who build and redistribute components and controls using ATL should install the update provided in this bulletin and follow the guidance provided to create, and distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin.\r\n\r\nThis security bulletin discusses vulnerabilities that could allow remote code execution if a user loaded a component or control built with the vulnerable versions of ATL.\r\n\r\nWhile most Microsoft Security Bulletins discuss the risk of a vulnerability for a specific product, this security bulletin discusses the vulnerabilities that may be present in products built using the ATL. Therefore, this security update is rated Moderate for all supported editions of Microsoft Visual Studio .NET 2003, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005 Redistributable Package, and Microsoft Visual C++ 2008 Redistributable Package.\r\n\r\nFor more information on the impact of, and workarounds and mitigations for controls and components that may be vulnerable to these issues, please see Microsoft Security Advisory &#40;973882&#41;.\r\n\r\nFor more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by modifying the ATL headers so that components and controls built using the headers can safely initialize from a data stream. For more information about the vulnerabilities, see the Frequently Asked Questions &#40;FAQ&#41; subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. Developers who have built components and controls using ATL should download this update and recompile their components and controls following the guidance provided in the following MSDN article.\r\n\r\nThe majority of Visual Studio customers who have automatic updating enabled will receive this update automatically and receive the updated ATL. However, as noted earlier, additional steps will be needed to update potentially vulnerable controls and components. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 969706 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nSoftware\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nMicrosoft Visual Studio .NET 2003 Service Pack 1\r\n&#40;KB971089&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Visual Studio 2005 Service Pack 1\r\n&#40;KB971090&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools\r\n&#40;KB973830&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Visual Studio 2008\r\n&#40;KB971091&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Visual Studio 2008 Service Pack 1\r\n&#40;KB971092&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Visual C++ 2005 Service Pack 1 Redistributable Package\r\n&#40;KB973544&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Visual C++ 2008 Redistributable Package\r\n&#40;KB973551&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Visual C++ 2008 Service Pack 1 Redistributable Package\r\n&#40;KB973552&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nNone\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nWhy was this security update released out of band? \r\nThis security update is being released out of band to address issues disclosed in Microsoft Security Advisory &#40;973882&#41;, &quot;Vulnerabilities in Microsoft Active Template Library &#40;ATL&#41; Could Allow Remote Code Execution.&quot;\r\n\r\nHow does this bulletin relate to the vulnerabilities described in Microsoft Security Advisory &#40;973882&#41;?\r\nThis bulletin addresses vulnerabilities in the public version of the Active Template Library &#40;ATL&#41;. Vulnerabilities in the private version of ATL are described in Microsoft Security Advisory &#40;973882&#41;.\r\n\r\nIf these are remote code execution vulnerabilities, why is this bulletin only rated Moderate? \r\nThis bulletin is rated Moderate because Microsoft Visual Studio, by default, is not affected by these vulnerabilities. Controls and components built using the affected ATL are vulnerable, and if affected, would be rated Critical or Moderate depending on the type of vulnerability present in the control or component.\r\n\r\nAre Visual Studio users directly affected by these vulnerabilities? \r\nNo. The existence of Visual Studio on your system does not make you vulnerable to this issue.\r\n\r\nThe update associated with this bulletin is intended for developers who create components and controls so that they can use Visual Studio to create components and controls that are not vulnerable to the reported issues. Only vulnerable components and controls developed with an affected ATL version are affected by this issue. Developers who built or redistributed components and controls built with affected versions of the ATL should install the update provided in this bulletin and follow the steps provided to ensure that their components and controls do not contain the vulnerabilities described in this bulletin.\r\n\r\nWhich versions of the ActiveTemplate Library are affected by these vulnerabilities?\r\nVersions 7.0, 7.1, 8.0, and 9.0 are affected. All others versions are unsupported.\r\n\r\nWhich versions of Visual Studio are affected?\r\nPlease see Affected and Non-Affected Software, in this Microsoft Security Bulletin.\r\n\r\nIs this security update related to MS09-034, also released as an out-of-band update? \r\nYes. Microsoft Security Bulletin MS09-034, &quot;Cumulative Security Update for Internet Explorer,&quot; includes a mitigation that helps prevent components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8, that monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX&#39;s kill bit security feature. These protections are designed to help protect customers from Web-based attacks.\r\n\r\nIf I have installed the MS09-034 update, do I still need to install this update? \r\nThis security update is specifically intended for developers of components and controls. Developers who built or redistributed components and controls built with affected versions of the Active Template Library should install the update provided in this bulletin and follow the steps provided to ensure that their components and controls do not contain the vulnerabilities described in this bulletin.\r\n\r\nIf I have installed the MS09-034 update, do I still need to install additional components and controlsissued by Microsoft or third parties that address the vulnerabilities described in Microsoft Security Advisory 973882 and Microsoft Security Bulletin MS09-035? \r\nThe MS09-034 Internet Explorer mitigation does not address the underlying vulnerabilities within certain components and controls developed with the Active Template Library. Microsoft recommends that developers follow the guidance provided in this bulletin to modify and rebuild all components and controls affected by vulnerabilities described in this bulletin.\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhat is ATL?\r\nThe Active Template Library &#40;ATL&#41; is a set of template-based C++ classes that let you create small, fast Component Object Model &#40;COM&#41; objects. It has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls. For more information, see the following MSDN article.\r\n\r\nAre third-party components and controls affected by this issue?\r\nSome third-party components and controls may be affected by this issue if certain conditions were met during the building of the components and controls. Microsoft recommends that developers follow the guidance provided in this bulletin to modify and rebuild all components and controls affected by vulnerabilities described in this bulletin.\r\n\r\nI am a third-party application developer and I use ATL in my components and controls. Are my components and controls vulnerable, and if so, how do I update them? \r\nFor instructions on determining whether your components and controls are vulnerable and how to update them, see the following MSDN Article.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.\r\n\r\nCustomers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nI am a developer and I have questions regarding this issue that are not documented in this Microsoft Security Bulletin. What can I do?\r\nAs part of our response to this issue, Microsoft is providing specialized developer content and links to forums to get your questions answered by Microsoft resources and the Microsoft developer community. For more information, please see the following MSDN Article.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin&#39;s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the July bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tATL Uninitialized Object Vulnerability - CVE-2009-0901\tATL COM Initialization Vulnerability - CVE-2009-2493\tATL Null String Vulnerability - CVE-2009-2495\tAggregate Severity Rating\r\n\r\nMicrosoft Visual Studio .NET 2003 Service Pack 1\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation disclosure\r\n\t\r\n\r\nModerate\r\n\r\nMicrosoft Visual Studio 2005 Service Pack 1\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation disclosure\r\n\t\r\n\r\nModerate\r\n\r\nMicrosoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation disclosure\r\n\t\r\n\r\nModerate\r\n\r\nMicrosoft Visual Studio 2008\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation disclosure\r\n\t\r\n\r\nModerate\r\n\r\nMicrosoft Visual Studio 2008 Service Pack 1\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation disclosure\r\n\t\r\n\r\nModerate\r\n\r\nMicrosoft Visual C++ 2005 Service Pack 1 Redistributable Package\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation disclosure\r\n\t\r\n\r\nModerate\r\n\r\nMicrosoft Visual C++ 2008 Redistributable Package\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation disclosure\r\n\t\r\n\r\nModerate\r\n\r\nMicrosoft Visual C++ 2008 Service Pack 1 Redistributable Package\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nInformation disclosure\r\n\t\r\n\r\nModerate\r\nTop of sectionTop of section\r\n\t\r\nATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to an issue in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. Because of this, the attacker can control what happens when VariantClear is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0901.\r\n\t\r\nMitigating Factors for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nBy default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerable.\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nWhat is the scope of the vulnerability? \r\nThis vulnerability only directly affects systems with vulnerable components and controls installed that were built using affected versions of Microsoft&#39;s ATL.\r\n\r\nThis is a remote code execution vulnerability. For example, the vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer that instantiates a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is due to an issue in the ATL headers that could allow an attacker to call VariantClear&#40;&#41; on a variant that has not been correctly initialized. For developers who created a component or control using ATL in this manner, the resulting component or control could allow remote code execution in the context of the logged on user.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the issue by ensuring VariantClear&#40;&#41; can only be called on initialized variants, and provides updated versions of ATL that allow developers to address this issue in potentially vulnerable controls.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to issues in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2493.\r\n\t\r\nMitigating Factors for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nBy default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerable.\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nWhat is the scope of the vulnerability? \r\nThis vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL.\r\n\r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is due to issues in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass certain related security policies.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system, and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then if the user is logged on with administrative user rights an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the manner in which ATL handles the instantiation of objects from data stream and providing updated versions of ATL that allow developers to address this issue in potentially vulnerable controls.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nATL Null String Vulnerability - CVE-2009-2495\r\n\r\nAn information disclosure vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. An attacker who successfully exploited this vulnerability could run a malicious component or control that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2495.\r\n\t\r\nMitigating Factors for ATL Null String Vulnerability - CVE-2009-2495\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nBy default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerable.\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL Null String Vulnerability - CVE-2009-2495\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL Null String Vulnerability - CVE-2009-2495\r\n\r\nWhat is the scope of the vulnerability? \r\nThis vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL.\r\n\r\nThis is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could run a malicious component or control that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability results from an issue in the ATL headers that could allow a string to be read with no ending NULL bytes. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could access any data available to the logged on user.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nIf a user has a vulnerable control on their system, and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, an attacker could read information in memory on the affected system\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by enforcing proper buffer allocation when reading a stream and providing updated versions of ATL that allow developers to address this issue in potentially vulnerable controls.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nDavid Dewey of IBM ISS X-Force for reporting the ATL Uninitialized Object Vulnerability &#40;CVE-2009-0901&#41;\r\n\u2022\t\r\n\r\nRyan Smith of VeriSign iDefense Labs for reporting the ATL COM Initialization Vulnerability &#40;CVE-2009-2493&#41;\r\n\u2022\t\r\n\r\nRyan Smith of VeriSign iDefense Labs for reporting the ATL Null String Vulnerability &#40;CVE-2009-2495&#41;\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program &#40;MAPP&#41;\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program &#40;MAPP&#41; Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\nTop of sectionTop of section\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 &#40;July 28, 2009&#41;: Bulletin published.", "edition": 1, "cvss3": {}, "published": "2009-07-29T00:00:00", "title": "Microsoft Security Bulletin MS09-035 - Moderate Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution &#40;969706&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "modified": "2009-07-29T00:00:00", "id": "SECURITYVULNS:DOC:22231", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22231", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:31", "description": "Microsoft Security Bulletin MS09-037 - Critical\r\nVulnerabilities in Microsoft Active Template Library &#40;ATL&#41; Could Allow Remote Code Execution &#40;973908&#41;\r\nPublished: August 11, 2009\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves several privately reported vulnerabilities in Microsoft Active Template Library &#40;ATL&#41;. The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nThis security update is rated Critical for all supported editions of Microsoft Windows 2000 Service Pack 4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. For more information on the software affected by this update, see the subsection, Affected and Non-Affected Software, in this section. For more information on the impact of, and workarounds and mitigations for controls and components that may be vulnerable to these issues, please see Microsoft Security Advisory &#40;973882&#41;.\r\n\r\nThe security update addresses the vulnerabilities by modifying the ATL headers so that components and controls built using the headers can safely initialize from a data stream, and by providing updated versions of Windows components and controls built using corrected ATL headers. For more information about the vulnerabilities, see the Frequently Asked Questions &#40;FAQ&#41; subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tComponent\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\nMicrosoft Windows 2000\t \t \t \t \r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nMicrosoft Outlook Express 5.5 Service Pack 2\r\n&#40;KB973354&#41;\r\n\r\nMicrosoft Outlook Express 6 Service Pack 1\r\n&#40;KB973354&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS08-048\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nWindows Media Player 9\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nDHTML Editing Component ActiveX Control\r\n&#40;KB973869&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS05-013\r\nWindows XP\t \t \t \t \r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n&#40;KB973354&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Service Pack 2\r\n\t\r\n\r\nWindows Media Player 9, Windows Media Player 10, and Windows Media Player 11\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nWindows XP Service Pack 3\r\n\t\r\n\r\nWindows Media Player 9\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Service Pack 3\r\n\t\r\n\r\nWindows Media Player 10, and Windows Media Player 11\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nDHTML Editing Component ActiveX Control\r\n&#40;KB973869&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS05-013\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nMicrosoft MSWebDVD ActiveX Control\r\n&#40;KB973815&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n&#40;KB973354&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nWindows Media Player 10\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nWindows Media Player 11\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nDHTML Editing Component ActiveX Control\r\n&#40;KB973869&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft MSWebDVD ActiveX Control\r\n&#40;KB973815&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\nWindows Server 2003\t \t \t \t \r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n&#40;KB973354&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nWindows Media Player 10\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nDHTML Editing Component ActiveX Control\r\n&#40;KB973869&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nMicrosoft MSWebDVD ActiveX Control\r\n&#40;KB973815&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n&#40;KB973354&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nWindows Media Player 10\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nDHTML Editing Component ActiveX Control\r\n&#40;KB973869&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft MSWebDVD ActiveX Control\r\n&#40;KB973815&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nMicrosoft Outlook Express 6\r\n&#40;KB973354&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nDHTML Editing Component ActiveX Control\r\n&#40;KB973869&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nMicrosoft MSWebDVD ActiveX Control\r\n&#40;KB973815&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\nWindows Vista\t \t \t \t \r\n\r\nWindows Vista\r\n\t\r\n\r\nWindows Media Player 11\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nWindows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nWindows Media Player 11\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition, Windows Vista\r\n\t\r\n\r\nWindows Media Player 11\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-047\r\n\r\nWindows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nWindows Media Player 11\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\nWindows Server 2008\t \t \t \t \r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2\r\n\t\r\n\r\nWindows Media Player 11 **\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2\r\n\t\r\n\r\nWindows ATL Component*\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2\r\n\t\r\n\r\nWindows Media Player 11 **\r\n&#40;KB973540&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2\r\n\t\r\n\r\nWindows ATL Component*\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nWindows ATL Component\r\n&#40;KB973507&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\n*Windows Server 2008 Server Core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.\r\n\r\n**Windows Server 2008 Server Core installation not affected. The vulnerability addressed by this update does not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.\r\n\r\nNon-Affected Software\r\nOperating System\r\n\r\nWindows 7 for 32-bit Systems\r\n\r\nWindows 7 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhat are the known issues that customers may experience when installing this security update? \r\nMicrosoft Knowledge Base Article 973908 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nHow does this bulletin relate to the vulnerabilities described in Microsoft Security Advisory &#40;973882&#41;?\r\nThis bulletin addresses Windows components that are affected by the Active Template Library &#40;ATL&#41; vulnerabilities described in Microsoft Security Advisory &#40;973882&#41;.\r\n\r\nIs this security update related to MS09-034, released as an out-of-band update on July 28, 2009? \r\nYes. Microsoft Security Bulletin MS09-034, &quot;Cumulative Security Update for Internet Explorer,&quot; includes a mitigation that helps prevent components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8, that monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX&#39;s Kill Bit Security Feature. These protections are designed to help protect customers from Web-based attacks.\r\n\r\nIf I have installed the MS09-034 update, do I still need to install this update? \r\nYes. This security bulletin update addresses vulnerabilities in Windows components. By installing this update, users ensure that all known issues caused by vulnerable ATL headers and libraries are corrected for core Windows components.\r\n\r\nIf I have installed the MS09-034 update, do I still need to install additional components and controls issued by third-parties that address the vulnerabilities described in Microsoft Security Advisory 973882 and Microsoft Security Bulletin MS09-035?\r\nYes, you need to install updated controls from third parties when released. The MS09-034 Internet Explorer mitigation does not address the underlying vulnerabilities within certain components and controls developed with the Active Template Library. Microsoft recommends that developers follow the guidance provided in this bulletin to modify and rebuild all components and controls affected by vulnerabilities described in this bulletin.\r\n\r\nWhat is ATL?\r\nThe Active Template Library &#40;ATL&#41; is a set of template-based C++ classes that let developers create small, fast Component Object Model &#40;COM&#41; objects. It has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls. For more information, see the following MSDN article.\r\n\r\nWhat is the DHTML Editing Component ActiveX Control?\r\nThe DHTML Editing Component ActiveX control provides an HTML editor that developers can use to support dynamic Web site HTML editing in software. For more information about the DHTML Editing Component ActiveX control, see the following MSDN article.\r\n\r\nWhat is the Microsoft MSWebDVD ActiveX Control?\r\nThe Microsoft MSWebDVD ActiveX control is used to create script-based DVD applications by exposing the MSWebDVD object to applications. For more information, see the following MSDN article.\r\n\r\nWhat is Outlook Express?\r\nOutlook Express is a feature of the Windows operating system for personal computers. It is used for sending and receiving e-mail.\r\n\r\nWhat is Windows Media Player?\r\nWindows Media Player is a feature of the Windows operating system for personal computers. It is used for playing audio and video.\r\n\r\nAre third-party components and controls affected by this issue?\r\nSome third-party components and controls may be affected by this issue if certain conditions were met during the building of the components and controls. Microsoft recommends that developers follow the guidance provided in this bulletin to modify and rebuild all components and controls affected by vulnerabilities described in this bulletin.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.\r\n\r\nCustomers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin&#39;s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary. For more information, see Microsoft Exploitability Index.\r\n\r\nAffected Software \r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tMicrosoft Video ActiveX Control Vulnerability - CVE-2008-0015\tATL Header Memcopy Vulnerability - CVE-2008-0020\tATL Uninitialized Object Vulnerability - CVE-2009-0901\tATL COM Initialization Vulnerability - CVE-2009-2493\tATL Object Type Mismatch Vulnerability - CVE-2009-2494\tAggregate Severity Rating\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Media Center Edition 2005\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Service Pack 2 and Service Pack 3\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* and **\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* and **\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\n*Windows Server 2008 Server Core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.\r\n\r\n**Windows Server 2008 Server Core installation not affected. The vulnerability addressed by this update does not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Video ActiveX Control Vulnerability - CVE-2008-0015\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to the function CComVariant::ReadFromStream used in the ATL header. This function does not properly restrict untrusted data read from a stream. This issue leads to reading data directly onto the stack instead of reading it into the area of memory allocated for an array, which could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-0015.\r\n\t\r\nMitigating Factors for Microsoft Video ActiveX Control Vulnerability - CVE-2008-0015\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Microsoft Video ActiveX Control Vulnerability - CVE-2008-0015\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Microsoft Video ActiveX Control Vulnerability - CVE-2008-0015\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe function CComVariant::ReadFromStream used in the ATL header does not properly restrict untrusted data read from a stream. This issue could lead to reading data directly onto the stack instead of reading it into the area of memory allocated for an array.\r\n\r\nAre third-party ActiveX controls affected by this issue?\r\nAlthough this vulnerability is in Microsoft ATL, it is not in the ATL version shipped with Visual Studio. The affected ATL headers reside in a private header file that shipped in Windows XP and Windows Server 2003. Most third-party developers use the header file that came with Visual Studio. These applications are not exposed to this vulnerability.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the affecting Window components and controls to restrict data read from untrusted streams to ensure it is not copied directly to the memory stack.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nYes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nATL Header Memcopy Vulnerability - CVE-2008-0020\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to an error in the Load method of the IPersistStreamInit interface. The Load method could allow calls to memcopy with untrusted data, which could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-0020.\r\n\t\r\nMitigating Factors for ATL Header Memcopy Vulnerability - CVE-2008-0020\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL Header Memcopy Vulnerability - CVE-2008-0020\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL Header Memcopy Vulnerability - CVE-2008-0020\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by an error in the Load method of the IPersistStreamInit interface. The Load method could allow calls to memcopy with untrusted data.\r\n\r\nAre third-party ActiveX controls affected by this issue?\r\nAlthough this vulnerability is in Microsoft ATL, it is not in the ATL version shipped with Visual Studio. The affected ATL headers reside in a private header file that shipped in Windows XP and Windows Server 2003. Most third-party developers use the header file that came with Visual Studio. These applications are not exposed to this bug.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the issue by correcting Windows components and control to restrict the Load method of the IPersistStreamInit interface to only allow calls to memcopy with trusted data.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to a bug in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. Because of this bug, the attacker can control what happens when VariantClear is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This vulnerability could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0901.\r\n\t\r\nMitigating Factors for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL Uninitialized Object Vulnerability - CVE-2009-0901\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer that instantiates a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability results from an issue in the ATL headers that could allow an attacker to call VariantClear&#40;&#41; on a variant that has not been correctly initialized. For developers who created a component or control using ATL in this manner, the resulting component or control could allow remote code execution in the context of the logged on user.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nAre third-party ActiveX controls affected by this issue?\r\nSome third-party components and controls may be affected by this issue if certain conditions were met during the building of the components and controls. Microsoft recommends that developers follow the guidance provided in theMS09-035 Visual Studio bulletin to modify and rebuild all components and controls affected by vulnerabilities described in this bulletin.\r\n\r\nI am a third-party application developer and I use ATL in my components and controls. Are my components and controls vulnerable, and if so, how do I update them? \r\nFor instructions on determining whether your components and controls are vulnerable and how to update them, see the following MSDN Article.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the issue by updating Windows components and controls to ensure VariantClear&#40;&#41; can only be called on initialized variants.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to bugs in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. This vulnerability could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2493.\r\n\t\r\nMitigating Factors for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability results from errors in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass certain related security policies.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system, and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then if the user is logged on with administrative user rights an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nAre third-party ActiveX controls affected by this issue?\r\nSome third-party components and controls may be affected by this issue if certain conditions were met during the building of the components and controls. Microsoft recommends that developers follow the guidance provided in theMS09-035 Visual Studio bulletin to modify and rebuild all components and controls affected by vulnerabilities described in this bulletin.\r\n\r\nI am a third-party application developer and I use ATL in my components and controls. Are my components and controls vulnerable, and if so, how do I update them? \r\nFor instructions on determining whether your components and controls are vulnerable and how to update them, see the following MSDN Article.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the manner in which ATL handles the instantiation of objects from data stream and providing updated versions of Windows components and controls built using corrected ATL headers.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nATL Object Type Mismatch Vulnerability - CVE-2009-2494\r\n\r\nA remote code execution vulnerability exists in the Microsoft Active Template Library &#40;ATL&#41; due to a bug in the ATL header that could allow reading a variant from a stream and leaving the variant type read with an invalid variant. When deleting the variant, it is possible to free unintended areas in memory that could be controlled by an attacker.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2494.\r\n\t\r\nMitigating Factors for ATL Object Type Mismatch Vulnerability - CVE-2009-2494\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL Object Type Mismatch Vulnerability - CVE-2009-2494\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory &#40;973882&#41;.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL Object Type Mismatch Vulnerability - CVE-2009-2494\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by a bug in the ATL header that could allow reading a variant from a stream and leaving the variant type read with an invalid variant. When deleting the variant, it would be possible to free unintended areas in memory that could be controlled by an attacker, resulting in inconsistent memory contents and execution of malicious code.\r\n\r\nAre third-party ActiveX controls affected by this issue?\r\nAlthough this vulnerability is in Microsoft ATL, it is not in the ATL version shipped with Visual Studio. The affected ATL headers reside in a private header file that shipped in Windows XP and Windows Server 2003. Most third-party developers use the header file that came with Visual Studio. These applications are not exposed to this issue.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user has a vulnerable control on their system, and an attacker bypasses the mitigations described in Microsoft Security Advisory &#40;973882&#41;, then if the user is logged on with administrative user rights an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer by attempting to exploit a vulnerable control, and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have to discover a vulnerable control, and force users to visit these Web sites. To do this, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the issue by properly validating variants read from a stream and providing updated versions of Windows components and controls built using corrected ATL headers.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nRyan Smith and Alex Wheeler of IBM ISS X-Force for initially reporting the Microsoft Video ActiveX Control Remote Code Execution Vulnerability &#40;CVE-2008-0015&#41;\r\n\u2022\t\r\n\r\nRobert Freeman of IBM ISS X-Force for reporting the ATL Header Memcopy Vulnerability &#40;CVE-2008-0020&#41;\r\n\u2022\t\r\n\r\nDavid Dewey of IBM ISS X-Force for reporting the ATL Uninitialized Object Vulnerability &#40;CVE-2009-0901&#41;\r\n\u2022\t\r\n\r\nRyan Smith of VeriSign iDefense Labs for reporting the ATL COM Initialization Vulnerability &#40;CVE-2009-2493&#41;\r\n\u2022\t\r\n\r\nRyan Smith of VeriSign iDefense Labs for reporting the ATL Object Type Mismatch Vulnerability &#40;CVE-2009-2494&#41;\r\n\r\nMicrosoft Active Protections Program &#40;MAPP&#41;\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program &#40;MAPP&#41; Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\nTop of sectionTop of section\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 &#40;August 11, 2009&#41;: Bulletin published.", "edition": 1, "cvss3": {}, "published": "2009-08-11T00:00:00", "title": "Microsoft Security Bulletin MS09-037 - Critical Vulnerabilities in Microsoft Active Template Library &#40;ATL&#41; Could Allow Remote Code Execution &#40;973908&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-2494", "CVE-2009-2493", "CVE-2008-0015", "CVE-2008-0020", "CVE-2009-0901"], "modified": "2009-08-11T00:00:00", "id": "SECURITYVULNS:DOC:22297", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22297", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:32", "description": "Microsoft Security Bulletin MS09-055 - Critical\r\nCumulative Security Update of ActiveX Kill Bits &#40;973525&#41;\r\nPublished: October 13, 2009\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update addresses a privately reported vulnerability that is common to multiple ActiveX controls and is currently being exploited. The vulnerability that affects ActiveX controls that were compiled using the vulnerable version of the Microsoft Active Template Library &#40;ATL&#41; could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nThis security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerability by setting a kill bit so that the vulnerable controls do not run in Internet Explorer. For more information about the vulnerability, see the Frequently Asked Questions &#40;FAQ&#41; subsection under the next section, Vulnerability Information.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tMaximum Security Impact\tAggregated Severity Rating\tBulletins Replaced by This Update\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nMS09-032\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nNone\r\n\r\n*Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nDoes MBSA support detection for this security update on Windows 7 and Windows Server 2008 R2?\r\nMBSA supports detection for this security update on Windows 7 and Windows Server 2008 R2 as of MBSA version 2.1.1, available as of the General Availability date of these operating systems. For more information, visit MBSA.\r\n\r\nDoes this Cumulative Security Update for ActiveX Kill Bits contain the kill bits described in Microsoft Security Bulletin MS09-043? \r\nThis update does not include the kill bits for preventing the Office Web Components &#40;OWC&#41; Library from running in Internet Explorer, which are described in Microsoft Security Bulletin MS09-043. Customers who have not installed MS09-043 should install both this update and MS09-043 to be fully protected from these vulnerabilities.\r\n\r\nIs this security update related to MS09-034? \r\nYes. Microsoft Security Bulletin MS09-034, &quot;Cumulative Security Update for Internet Explorer,&quot; includes a mitigation that helps prevent components and controls built using the vulnerable ATL from being exploited in Internet Explorer, and addresses other unrelated vulnerabilities as well. The new defense in depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8, that monitor and help prevent the successful exploitation of all known public and privately reported ATL vulnerabilities, including the vulnerabilities that could lead to bypassing the ActiveX kill bit security feature. These protections are designed to help protect customers from Web-based attacks.\r\n\r\nIf I have installed the MS09-034 update, do I still need to install this update? \r\nThis security update addresses vulnerable Active X controls and prevents them from instantiating in Internet Explorer. Microsoft recommends that customers apply this update in addition to the latest Cumulative Security Update for Internet Explorer to maintain the highest level of security.\r\n\r\nIf I have installed the MS09-034 update, do I still need to install additional components and controls issued by Microsoft or third parties that address the vulnerabilities described in Microsoft Security Advisory 973882 and Microsoft Security Bulletin MS09-035? \r\nThe mitigation for Internet Explorer described in MS09-034 does not address the underlying vulnerabilities within certain components and controls developed with the Active Template Library. Microsoft recommends that developers follow the guidance provided in this bulletin to modify and rebuild all components and controls affected by vulnerabilities described in this bulletin.\r\n\r\nWhat kill bits does this Cumulative Security Update of ActiveX Kill Bits contain? \r\nThis Cumulative Security Update of ActiveX Kill Bits contains all kill bits previously released in MS08-023, Security Update of ActiveX Kill Bits; MS08-032, Cumulative Security Update of ActiveX Kill Bits; MS09-032, Cumulative Security Update of ActiveX Kill Bits; and advisories entitled Update Rollup for ActiveX Kill Bits, Microsoft Security Advisory 953839, Microsoft Security Advisory 956391, Microsoft Security Advisory 960715, and Microsoft Security Advisory 969898.\r\n\r\nWhat is a kill bit?\r\nA security feature in Microsoft Internet Explorer makes it possible to prevent an ActiveX control from ever being loaded by the Internet Explorer HTML-rendering engine. This is done by making a registry setting and is referred to as setting the kill bit. After the kill bit is set, the control can never be loaded, even when it is fully installed. Setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless.\r\n\r\nFor more information on kill bits, see Microsoft Knowledge Base Article 240797: How to stop an ActiveX control from running in Internet Explorer.\r\n\r\nWhat is a security update of ActiveX kill bits? \r\nA security update of ActiveX kill bits contains the class IDs &#40;CLSID&#41; of certain ActiveX controls that are the basis of the security update. This security bulletin lists these CLSIDs in the Vulnerability Information section.\r\n\r\nWhy does this update not contain any binary files?\r\nThis update only makes changes to the registry to disable the control from instantiating in Internet Explorer.\r\n\r\nShould I install this update if I do not have the affected component installed or use the affected platform?\r\nYes. Installing this update will block the vulnerable control from running in Internet Explorer.\r\n\r\nDo I need to reapply this update if I install an ActiveX control discussed in this security update at a later date?\r\nNo, reapplying this update is not required. The kill bit will block Internet Explorer from running the control even if the control is installed at a later date.\r\n\r\nDoes this update contain any kill bits that are not Microsoft-specific? \r\nAll new kill bits in this update apply only to Microsoft controls. However, since this is a cumulative security update, this update includes kill bits that Microsoft has issued for both Microsoft and non-Microsoft ActiveX controls.\r\n\r\nDoes this update contain kill bits that were previously shipped in an Internet Explorer security update?\r\nNo, this update does not include kill bits that were previously shipped in an Internet Explorer security update. We recommend that you install the latest Cumulative Security Update for Internet Explorer.\r\n\r\nWhy does this security update have different severity levels for different Windows operating systems?\r\nThis update has different severity levels because different mitigations apply to the vulnerability depending on the operating system. One such mitigation is that Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle. For more information about the extended security update support period for these software releases, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin&#39;s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the October bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tATL COM Initialization Vulnerability- CVE-2009-2493\tAggregate Severity Rating\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nLow\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nLow\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nLow\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\r\nWindows 7 x64 Edition\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nLow\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nLow\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\r\n*Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nA remote code execution vulnerability exists in the Microsoft ActiveX controls listed in the FAQ section of this vulnerability, which were compiled using the vulnerable Microsoft Active Template Library described in Microsoft Security Bulletin MS09-035. An attacker could exploit the vulnerability in these controls by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2493.\r\n\t\r\nMitigating Factors for ATL COM Initialization Vulnerability- CVE-2009-2493\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state that could reduce the severity of exploitation of vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nBy default, the majority of ActiveX controls are not included in the default allow-list for ActiveX controls in Internet Explorer 7 or Internet Explorer 8 running on Windows Vista or later operating systems. Only customers who have explicitly approved vulnerable controls by using the ActiveX opt-in feature are at risk to attempts to exploit this vulnerability. However, if a customer has used such ActiveX controls in a previous version of Internet Explorer, and then later upgraded to Internet Explorer 7 or Internet Explorer 8, then these ActiveX controls are enabled to work in Internet Explorer 7 and Internet Explorer 8, even if the customer has not explicitly approved it using the ActiveX opt-in feature.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer 8 offers enhanced protections by enabling DEP/NX memory protections for users on Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows 7.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.\r\n\u2022\t\r\n\r\nBy default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger message that takes users to the attacker&#39;s Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL COM Initialization Vulnerability- CVE-2009-2493\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nPrevent COM objects from running in Internet Explorer\r\n\r\nYou can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry.\r\n\r\nWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.\r\n\r\nFor detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.\r\n\r\nNote The Class Identifiers and corresponding files where the ActiveX objects are contained are documented under &quot;What does the update do?&quot; in the FAQ for Microsoft Video ActiveX Control Vulnerability - CVE-2009-2493 section. Replace {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifiers found in that section.\r\n\r\nTo set the kill bit for a CLSID with a value of {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Internet Explorer&#92;ActiveX Compatibility&#92;{ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX }]\r\n&quot;Compatibility Flags&quot;=dword:00000400\r\n\r\nYou can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:\r\n\u2022\t\r\n\r\nGroup Policy collection\r\n\u2022\t\r\n\r\nWhat is Group Policy Object Editor?\r\n\u2022\t\r\n\r\nCore Group Policy tools and settings\r\n\r\nNote You must restart Internet Explorer for your changes to take effect.\r\n\u2022\t\r\n\r\nImpact of Workaround: There is no impact as long as the object is not intended to be used in Internet Explorer.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL COM Initialization Vulnerability- CVE-2009-2493\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is due to issues in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects in Internet Explorer that can bypass certain related security policies. When the Microsoft ActiveX Control is instantiated in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code.\r\n\r\nDo all of the kill bits listed in this bulletin have the same severity rating for all platforms in the Severity table? \r\nThe kill bits for each control may have different severity ratings from the Aggregate Severity Rating listed in the Severity table at the beginning of this bulletin.\r\n\r\nThe severity for the Windows Live Mail Components &#40;msmail.dll and mailcommm.dll&#41; matches the Severity table for Windows XP and Windows Vista. The severity is &quot;None&quot; for Microsoft Windows 2000, Windows Server 2003, and Windows Server 2008 due to existing mitigations that prevent loading these controls on these platforms.\r\n\r\nThe severity for the Office Web Components, Outlook View Controls, Visio Viewer, and MSN Photo Upload Tool &#40;msowc.dll, owc10.dll, owc11.dll, outlctl.dll, viewer.dll, and msnpupld.dll&#41; match the severity table listed in this bulletin.\r\n\r\nWhat are Office Web Components? \r\nMicrosoft Office Web Components are a collection of Component Object Model &#40;COM&#41; controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.\r\n\r\nWhat is the Visio Viewer control? \r\nThe Visio Viewer allows users to view Visio drawings and diagrams &#40;created with Visio 5.0, Visio 2000, Visio 2002, Visio 2003, or Visio 2007&#41; from within a Web browser &#40;Microsoft Internet Explorer version 5.0 or later&#41;.\r\n\r\nWhat are Windows Live Mail controls? \r\nWindows Live Mail controls are internal message management interfaces for Windows Live Mail. These controls are not publicly documented and are not supported.\r\n\r\nWhat is the MSN Photo Upload Tool?\r\nThis tool allows users to upload and label multiple photos simultaneously to MSN Mail accounts, including Windows Live Mail.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nI am running Internet Explorer for Windows Vista or Windows Server 2008. Do I need to install this update? \r\nThough unaffected by this vulnerability, Microsoft recommends that customers of Windows Vista and Windows Server 2008 remove support for this ActiveX Control within Internet Explorer, using the same Class Identifiers listed below, as a defense-in-depth measure.\r\n\r\nI am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? \r\nYes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nThis vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nWhat does the update do? \r\nThe following Microsoft ActiveX Control were never intended to be instantiated in Internet Explorer and can therefore be disabled by setting the kill bit for the Class Identifiers hosted in the library files listed below:\r\nClass Identifier\tFile\tDescription\r\n\r\n{0002E531-0000-0000-C000-000000000046}\r\n\t\r\n\r\nmsowc.dll\r\n\t\r\n\r\nATL OWC - OWC9 RecordNavigationControl\r\n\r\n{4C85388F-1500-11D1-A0DF-00C04FC9E20F}\r\n\t\r\n\r\nmsowc.dll\r\n\t\r\n\r\nATL OWC - OWC9 FieldList\r\n\r\n{0002E532-0000-0000-C000-000000000046}\r\n\t\r\n\r\nmsowc.dll\r\n\t\r\n\r\nATL OWC - OWC9 ExpandControl\r\n\r\n{0002E554-0000-0000-C000-000000000046}\r\n\t\r\n\r\nowc10.dll\r\n\t\r\n\r\nATL OWC - OWC10 RecordNavigationControl\r\n\r\n{0002E55C-0000-0000-C000-000000000046}\r\n\t\r\n\r\nowc11.dll\r\n\t\r\n\r\nATL OWC - OWC11\r\n\r\n{279D6C9A-652E-4833-BEFC-312CA8887857}\r\n\t\r\n\r\nviewer.dll\r\n\t\r\n\r\nVisio Viewer 2002-2007\r\n\r\n{B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331}\r\n\t\r\n\r\nmsmail.dll\r\n\t\r\n\r\nWindows Live Mail Mail Object\r\n\r\n{C832BE8F-4B89-4579-A217-DB92E7A27915}\r\n\t\r\n\r\nmsmail.dll\r\n\t\r\n\r\nWindows Live Mail Mesg Table Object\r\n\r\n{A9A7297E-969C-43F1-A1EF-51EBEA36F850}\r\n\t\r\n\r\nmailcomm.dll\r\n\t\r\n\r\nWindows Live Mail Mime Editor\r\n\r\n{DD8C2179-1B4A-4951-B432-5DE3D1507142}\r\n\t\r\n\r\nmsmail.dll\r\n\t\r\n\r\nWindows Live Mail Message List\r\n\r\n{4F1E5B1A-2A80-42ca-8532-2D05CB959537}\r\n\t\r\n\r\nMsnPUpld.dll\r\n\t\r\n\r\nMSN Photo Upload Tool\r\n\r\n{27A3D328-D206-4106-8D33-1AA39B13394B}\r\n\t\r\n\r\nReportBuilderAddin.dll\r\n\t\r\n\r\nOffice Excel Add-in for SQL Analysis Services\r\n\r\n{DB640C86-731C-484A-AAAF-750656C9187D}\r\n\t\r\n\r\nReportBuilderAddin.dll\r\n\t\r\n\r\nOffice Excel Add-in for SQL Analysis Services\r\n\r\n{15721a53-8448-4731-8bfc-ed11e128e444}\r\n\t\r\n\r\nReportBuilderAddin.dll\r\n\t\r\n\r\nOffice Excel Add-in for SQL Analysis Services\r\n\r\n{3267123E-530D-4E73-9DA7-79F01D86A89F}\r\n\t\r\n\r\nReportBuilderAddin.dll\r\n\t\r\n\r\nOffice Excel Add-in for SQL Analysis Services\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nYes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability.\r\n\r\nOther Information\r\nMicrosoft Active Protections Program &#40;MAPP&#41;\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program &#40;MAPP&#41; Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 &#40;October 13, 2009&#41;: Bulletin published.", "edition": 1, "cvss3": {}, "published": "2009-10-13T00:00:00", "title": "Microsoft Security Bulletin MS09-055 - Critical Cumulative Security Update of ActiveX Kill Bits &#40;973525&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-2493"], "modified": "2009-10-13T00:00:00", "id": "SECURITYVULNS:DOC:22612", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22612", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:31", "description": "iDefense Security Advisory 07.28.09\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nJul 28, 2009\r\n\r\nI. BACKGROUND\r\n\r\nMicrosoft&#39;s Component Object Model &#40;COM&#41; was designed to allow\r\ninteroperability between disjointed software components. It is a\r\nstandardized interface solution to the programming dilemmas involved in\r\nobject oriented programming, distributed transactions, and\r\ninter-language communications. COM is involved at some level in DDE,\r\nOLE, COM+, ActiveX, and DCOM. COM objects can be embedded in various\r\ndocument formats, Web Pages, and various other media technologies.\r\nMicrosoft&#39;s Active Template Library &#40;ATL&#41; is a set of C++ templates\r\nthat simplify developing COM objects. More information on COM and ATL\r\ncan be found at the following URLs.\r\n\r\nhttp://www.microsoft.com/com/default.mspx\r\n\r\nhttp://msdn.microsoft.com/en-us/library/t9adwcde&#40;VS.80&#41;.aspx\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a logic flaw vulnerability in Microsoft Corp.&#39;s\r\nATL/MFC ActiveX code, as included in various vendors&#39; ActiveX controls,\r\ncould allow attackers to bypass ActiveX security mechanisms.\r\n\r\nOne aspect of COM is a process called initialization. This process\r\nallows a program to load and store a COM object within various\r\ncontainers, such as OLE compound storage files and raw streams.\r\n\r\nDepending upon certain characteristics of an OLE component designed with\r\nthe Microsoft ATL, it is possible to cause one component to initialize\r\nan arbitrary secondary component. Ordinarily this behavior would not be\r\na cause for alarm, however, certain applications employ various methods\r\nto verify that a control is Safe for Initialization. One such\r\napplication is Internet Explorer. More information on these methods can\r\nbe found at\r\nhttp://msdn.microsoft.com/en-us/library/aa751977&#40;VS.85&#41;.aspx.\r\n\r\nStandard operating procedure is to have the loading application perform\r\nthe various security checks. However, a control marked &quot;Safe for\r\nInitialization&quot; that contains this vulnerability will not perform the\r\nsame checks. By loading a vulnerable ActiveX control and passing in\r\nspecially crafted persistent storage data, an attacker can bypass all\r\nof the typical security checks and load any ActiveX control without a\r\nwarning.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability allows an attacker to bypass security\r\nchecks &#40;such as kill-bits in Internet Explorer&#41;. Successful exploitation\r\nwould require the attacker to convince his or her victim into visiting a\r\nspecially crafted Web page leveraging the vulnerability. While there is\r\nno way to forcibly make a victim visit a website, exploitation may\r\noccur through normal Web browsing.\r\n\r\nThis vulnerability greatly increases the attack surface accessible via\r\nInternet Explorer by decreasing the amount of user interaction\r\nnecessary to access other initialization vulnerabilities.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability inside\r\nMicrosoft&#39;s ATL and MFC. Although later versions of the ATL/MFC are\r\nless vulnerable, certain conditions can trigger the same exploit\r\npattern.\r\n\r\nAny code compiled with these libraries may also be vulnerable. Specific\r\ncontrols compiled with vulnerable versions include Adobe Flash and\r\nSun&#39;s Java plug-in.\r\n\r\nV. WORKAROUND\r\n\r\niDefense is currently unaware of any workarounds for this issue.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nMicrosoft has released two security bulletins which address this issue.\r\nFor more information, consult their advisories at the following URL:\r\n\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx\r\n\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS09-037.mspx\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures &#40;CVE&#41; project has assigned the\r\nname CVE-2009-2493 to this issue. This is a candidate for inclusion in\r\nthe CVE list &#40;http://cve.mitre.org/&#41;, which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n12/05/2008 Initial Contact\r\n01/05/2009 Microsoft requested PoC\r\n01/06/2009 iDefense sent PoC\r\n01/23/2009 iDefense requested status update\r\n01/26/2009 iDefense requested status update\r\n01/27/2009 Microsoft reports status\r\n02/09/2009 Microsoft reports status\r\n02/26/2009 Microsoft reports status\r\n03/27/2009 Microsoft reports status\r\n04/23/2009 Microsoft reports status, predicts September release\r\n05/13/2009 Microsoft reports status, predicts October release\r\n05/21/2009 Microsoft requests conference call\r\n06/03/2009 Conference call takes place\r\n06/05/2009 Microsoft supplies corrected ATL headers and requests review\r\n07/28/2009 Public disclosure via MS09-035 out-of-band bulletin\r\n07/29/2009 Material presented at BlackHat USA\r\n08/11/2009 Microsoft publishes MS09-037\r\n\r\nIX. CREDIT\r\n\r\nThis vulnerability was discovered by Ryan Smith of iDefense Labs.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2009 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.\r\n", "edition": 1, "cvss3": {}, "published": "2009-08-20T00:00:00", "title": "iDefense Security Advisory 07.28.09: Multiple Vendor Microsoft ATL/MFC ActiveX Security Bypass Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-2493"], "modified": "2009-08-20T00:00:00", "id": "SECURITYVULNS:DOC:22351", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22351", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:31", "description": "iDefense Security Advisory 07.28.09\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nJul 28, 2009\r\n\r\nI. BACKGROUND\r\n\r\nMicrosoft&#39;s Component Object Model &#40;COM&#41; was designed to allow\r\ninteroperability between disjointed software components. It is a\r\nstandardized interface solution to the programming dilemmas involved in\r\nobject oriented programming, distributed transactions, and\r\ninter-language communications. COM is involved at some level in DDE,\r\nOLE, COM+, ActiveX, and DCOM. COM objects can be embedded in various\r\ndocument formats, Web Pages, and various other media technologies.\r\nMicrosoft&#39;s Active Template Library &#40;ATL&#41; is a set of C++ templates\r\nthat simplify developing COM objects. More information on COM and ATL\r\ncan be found at the following URLs.\r\n\r\nhttp://www.microsoft.com/com/default.mspx\r\n\r\nhttp://msdn.microsoft.com/en-us/library/t9adwcde&#40;VS.80&#41;.aspx\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of an information disclosure vulnerability in\r\nMicrosoft&#39;s ATL/MFC ActiveX template, as included in various vendor&#39;s\r\nActiveX controls, allows attackers to read memory contents within\r\nInternet Explorer.\r\n\r\nOne aspect of COM is a process called initialization. This process\r\nallows a program to load and store a COM object within various\r\ncontainers, such as OLE compound storage files and raw streams.\r\n\r\nDepending upon certain characteristics of an OLE component designed with\r\nthe Microsoft ATL, it is possible to read arbitrary memory inside the\r\nInternet Explorer process. By loading a vulnerable ActiveX control and\r\npassing in specially crafted persistent storage data, an attacker can\r\ncause a string to be read in without being properly NULL terminated.\r\nAfter the object is initialized the attacker may read the data using\r\nJava Script. Since the string functions rely on NULL termination to\r\nkeep track of the end of the string, the attacker may read into the\r\nnext chunk of memory continuing until two NULL bytes are encountered.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of the above vulnerabilities will result in the disclosure\r\nof memory contents, potentially including sensitive information. The\r\nattack vectors include Internet Explorer, WordPad, Microsoft Office,\r\nand any other program that loads arbitrary persistence data and gives\r\nthe attacker an opportunity to read back the data.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability inside\r\nMicrosoft&#39;s ATL version 9.0. Any source code compiled with these\r\nlibraries may also be vulnerable. Previous versions may also be\r\naffected.\r\n\r\nV. WORKAROUND\r\n\r\niDefense is currently unaware of any workarounds for this issue.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nMicrosoft has released a security bulletin which addresses this issue.\r\nFor more information, consult their advisory at the following URL:\r\n\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures &#40;CVE&#41; project has assigned the\r\nname CVE-2009-2495 to this issue. This is a candidate for inclusion in\r\nthe CVE list &#40;http://cve.mitre.org/&#41;, which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n12/05/2008 Initial Contact\r\n01/05/2009 Microsoft requested PoC\r\n01/06/2009 iDefense sent PoC\r\n01/23/2009 iDefense requested status update\r\n01/26/2009 iDefense requested status update\r\n01/27/2009 Microsoft reports status\r\n02/09/2009 Microsoft reports status\r\n02/26/2009 Microsoft reports status\r\n03/27/2009 Microsoft reports status\r\n04/23/2009 Microsoft reports status, predicts September release\r\n05/13/2009 Microsoft reports status, predicts October release\r\n05/21/2009 Microsoft requests conference call\r\n06/03/2009 Conference call takes place\r\n07/28/2009 Public disclosure via MS09-035 out-of-band bulletin\r\n07/29/2009 Material presented at BlackHat USA\r\n\r\nIX. CREDIT\r\n\r\nThis vulnerability was discovered by Ryan Smith of iDefense Labs.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2009 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.\r\n", "edition": 1, "cvss3": {}, "published": "2009-08-20T00:00:00", "title": "iDefense Security Advisory 07.28.09: Multiple Vendor Microsoft ATL/MFC ActiveX Information Disclosure Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-2495"], "modified": "2009-08-20T00:00:00", "id": "SECURITYVULNS:DOC:22350", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22350", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2021-06-08T19:16:42", "description": "Multiple memory corruptions, code execution.", "edition": 2, "cvss3": {}, "published": "2009-12-10T00:00:00", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3673", "CVE-2009-3674", "CVE-2009-2493", "CVE-2009-3671", "CVE-2009-3672"], "modified": "2009-12-10T00:00:00", "id": "SECURITYVULNS:VULN:10453", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10453", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:32", "description": "Microsoft Security Bulletin MS09-072 - Critical\r\nCumulative Security Update for Internet Explorer &#40;976325&#41;\r\nPublished: December 08, 2009\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. An ActiveX control built with Microsoft Active Template Library &#40;ATL&#41; headers could also allow remote code execution; for more information about this issue, see the subsection, Frequently Asked Questions &#40;FAQ&#41; Related to This Security Update, in this section.\r\n\r\nThis security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7 &#40;except when running on supported editions of Windows Server 2003 and Windows Server 2008&#41;, and Internet Explorer 8 &#40;except when running on supported editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2&#41;. For Internet Explorer 7 and Internet Explorer 8 running on Windows servers as listed, this update is rated Moderate. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses these vulnerabilities by correcting the control and by modifying the way that Internet Explorer handles objects in memory. For more information about the vulnerabilities, see the Frequently Asked Questions &#40;FAQ&#41; subsection under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 977981.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tComponent\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by This Update\r\nInternet Explorer 5.01 and Internet Explorer 6 Service Pack 1\t \t \t \t \r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nInternet Explorer 5.01 Service Pack 4\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nInternet Explorer 6 Service Pack 1\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\nInternet Explorer 6\t \t \t \t \r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nInternet Explorer 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Explorer 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nInternet Explorer 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Explorer 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nInternet Explorer 6\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\nInternet Explorer 7\t \t \t \t \r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nInternet Explorer 7\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\nInternet Explorer 8\t \t \t \t \r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nInternet Explorer 8\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nMS09-054\r\n\r\n*Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nDoes this security update include the fix that resolves known issues for MS09-054 that were resolved in Microsoft Knowledge Base Article 976749? \r\nYes. This security update &#40;976325&#41; includes the fix described in Microsoft Security Advisory 976749 that resolves known issues for security update 974455 in Microsoft Security Bulletin MS09-054.\r\n\r\nHow does this security bulletin relate to the ATL issue described in MS09-035? \r\nMicrosoft Security Bulletin MS09-035 describes vulnerabilities in those components and controls that have been developed using vulnerable public versions of the Active Template Library &#40;ATL&#41;. This security update &#40;976325&#41; helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with the versions of ATL described in Microsoft Security Advisory 973882 and MS09-035. See also the ATL COM Initialization Vulnerability, CVE-2009-2493, in the next section, Vulnerability Information.\r\n\r\nHow does this security bulletin relate to the ATL issue described in Microsoft Security Advisory 973882? \r\nMicrosoft Security Advisory 973882 describes vulnerabilities in public and private versions of the Active Template Library &#40;ATL&#41;. This security update &#40;976325&#41; updates a control developed with the versions of ATL described in Microsoft Security Advisory 973882 and MS09-035. . See also the ATL COM Initialization Vulnerability, CVE-2009-2493, in the next section, Vulnerability Information.\r\n\r\nWhere can I find more information about the Microsoft Active Template Library security vulnerabilities and associated updates? \r\nFor more information regarding the Active Template Library &#40;ATL&#41; security vulnerabilities, see Microsoft Security Advisory 973882.\r\n\r\nTo download the update for ATL, see Microsoft Security Bulletin MS09-035.\r\n\r\nIf I have installed the MS09-035 update, do I still need to install this update? \r\nYes. MS09-035 is specifically intended for developers who use the Active Template Library &#40;ATL&#41; with Microsoft Visual Studio. Developers who redistribute components and controls built with ATL should install the update provided in MS09-035 to ensure that these components and controls do not contain the vulnerabilities described in that bulletin.\r\n\r\nWhere are the file information details? \r\nThe file information details can be found in the Microsoft Knowledge Base Article 976325.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin&#39;s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the December bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tATL COM Initialization Vulnerability - CVE-2009-2493\tUninitialized Memory Corruption Vulnerability - CVE-2009-3671\tHTML Object Memory Corruption Vulnerability - CVE-2009-3672\tUninitialized Memory Corruption Vulnerability - CVE-2009-3673\tUninitialized Memory Corruption Vulnerability - CVE-2009-3674\tAggregate Severity Rating\r\nInternet Explorer 5.01 and Internet Explorer 6 Service Pack 1\t \t \t \t \t \t \r\n\r\nInternet Explorer 5.01 Service Pack 4 when installed on Microsoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\nInternet Explorer 6\t \t \t \t \t \t \r\n\r\nInternet Explorer 6 for Windows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 6 for Windows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 6 for Windows Server 2003 Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 6 for Windows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 6 for Windows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\nInternet Explorer 7\t \t \t \t \t \t \r\n\r\nInternet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 7 for Windows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 7 for Windows Server 2003 Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 7 for Windows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 7 for Windows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 7 in Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 7 in Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 7 in Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate\r\nInternet Explorer 8\t \t \t \t \t \t \r\n\r\nInternet Explorer 8 for Windows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 8 for Windows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 8 for Windows Server 2003 Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 8 for Windows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 8 in Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 8 in Windows 7 for 32-bit Systems\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 8 in Windows 7 for x64-based Systems\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nInternet Explorer 8 in Windows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\nInternet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate \r\nRemote Code Execution\r\n\t\r\n\r\nModerate\r\n\r\n*Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nA remote code execution vulnerability exists in an ActiveX control built with vulnerable Microsoft Active Template Library &#40;ATL&#41; headers. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. Components and controls built using ATL could allow the instantiation of arbitrary objects that can bypass related security policy, such as kill bits within Internet Explorer. Therefore, this vulnerability could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2493.\r\n\t\r\nMitigating Factors for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nBy default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.\r\n\u2022\t\r\n\r\nInternet Explorer 7 and Internet Explorer 8 are not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nSet Internet and Local intranet security zone settings to &quot;High&quot; to prompt before running ActiveX Controls and Active Scripting in these zones\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\n\u2022\t\r\n\r\nConfigure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Internet Options on the Tools menu.\r\n\r\n2.\r\n\t\r\n\r\nClick the Security tab.\r\n\r\n3.\r\n\t\r\n\r\nClick Internet, and then click Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nNote Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.\r\n\r\nImpact of workaround. There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ATL COM Initialization Vulnerability - CVE-2009-2493\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. The vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability results from an ActiveX control built with vulnerable Microsoft Active Template Library &#40;ATL&#41; headers. Unsafe usage of this control could allow the instantiation of arbitrary objects that can bypass certain related security policies.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user&#39;s system has a vulnerable control and an attacker bypasses the mitigations described in Microsoft Security Advisory 973882, and if the user is logged on with administrative user rights, then an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat is the component affected by the vulnerability? \r\nThe component affected by the vulnerability is tdc.ocx.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who should not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nI am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? \r\nYes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting a control that handles tabular data. This control was previously built using vulnerable Microsoft Active Template Library &#40;ATL&#41;.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nUninitialized Memory Corruption Vulnerability - CVE-2009-3671\r\n\r\nA remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-3671.\r\n\t\r\nMitigating Factors for Uninitialized Memory Corruption Vulnerability - CVE-2009-3671\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nBy default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.\r\n\u2022\t\r\n\r\nInternet Explorer 5.01 Service Pack 4, Internet Explorer 6.0, Internet Explorer 6 Service Pack 1, and Internet Explorer 7 are not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Uninitialized Memory Corruption Vulnerability - CVE-2009-3671\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nSet Internet and Local intranet security zone settings to &quot;High&quot; to prompt before running ActiveX Controls and Active Scripting in these zones\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\n\u2022\t\r\n\r\nConfigure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Internet Options on the Tools menu.\r\n\r\n2.\r\n\t\r\n\r\nClick the Security tab.\r\n\r\n3.\r\n\t\r\n\r\nClick Internet, and then click Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nNote Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.\r\n\r\nImpact of workaround. There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Uninitialized Memory Corruption Vulnerability - CVE-2009-3671\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen Internet Explorer attempts to access an object that has not been initialized or has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as a logged-on user. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nThis vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nI am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? \r\nYes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.\r\n\r\nWhat does the update do? \r\nThe update modifies the way that Internet Explorer handles objects in memory.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nHTML Object Memory Corruption Vulnerability - CVE-2009-3672\r\n\r\nA remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-3672.\r\n\t\r\nMitigating Factors for HTML Object Memory Corruption Vulnerability - CVE-2009-3672\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nBy default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.\r\n\u2022\t\r\n\r\nInternet Explorer 5.01 Service Pack 4 and Internet Explorer 8 are not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for HTML Object Memory Corruption Vulnerability - CVE-2009-3672\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nSet Internet and Local intranet security zone settings to &quot;High&quot; to prompt before running ActiveX Controls and Active Scripting in these zones\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\n\u2022\t\r\n\r\nConfigure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Internet Options on the Tools menu.\r\n\r\n2.\r\n\t\r\n\r\nClick the Security tab.\r\n\r\n3.\r\n\t\r\n\r\nClick Internet, and then click Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nNote Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.\r\n\r\nImpact of workaround. There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\n\u2022\t\r\n\r\nEnable DEP for Internet Explorer 6 or Internet Explorer 7\r\n\r\nThis vulnerability is more difficult to exploit successfully if Data Execution Protection &#40;DEP&#41; is enabled for Internet Explorer. You can enable DEP for all versions of Internet Explorer that support DEP, using one of the following methods:\r\n\u2022\t\r\n\r\nEnable DEP for Internet Explorer 7 interactively\r\n\r\nLocal Administrators can control DEP/NX by running Internet Explorer as an Administrator. To enable DEP, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click Advanced.\r\n\r\n2.\r\n\t\r\n\r\nClick Enable memory protection to help mitigate online attacks.\r\n\u2022\t\r\n\r\nEnable DEP for Internet Explorer 6 or Internet Explorer 7 using automated Microsoft Fix It\r\n\r\nSee Microsoft Knowledge Base Article 976325 to use the automated Microsoft Fix it solution to enable or disable this workaround.\r\n\r\nImpact of workaround: Some browser extensions may not be compatible with DEP and may exit unexpectedly. If this occurs, you can disable the add-on, or revert the DEP setting using the Internet Control Panel. This is also accessible using the System Control panel.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for HTML Object Memory Corruption Vulnerability - CVE-2009-3672\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen Internet Explorer attempts to access incorrectly initialized memory under certain conditions, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as a logged-on user. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nThis vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nI am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? \r\nYes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.\r\n\r\nWhat does the update do? \r\nThe update modifies the way that Internet Explorer handles objects in memory.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2009-3672.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nUninitialized Memory Corruption Vulnerability - CVE-2009-3673\r\n\r\nA remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-3673.\r\n\t\r\nMitigating Factors for Uninitialized Memory Corruption Vulnerability - CVE-2009-3673\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nBy default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.\r\n\u2022\t\r\n\r\nInternet Explorer 5.01 Service Pack 4, Internet Explorer 6.0, and Internet Explorer 6 Service Pack 1 are not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Uninitialized Memory Corruption Vulnerability - CVE-2009-3673\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nSet Internet and Local intranet security zone settings to &quot;High&quot; to prompt before running ActiveX Controls and Active Scripting in these zones\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\n\u2022\t\r\n\r\nConfigure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Internet Options on the Tools menu.\r\n\r\n2.\r\n\t\r\n\r\nClick the Security tab.\r\n\r\n3.\r\n\t\r\n\r\nClick Internet, and then click Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nNote Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.\r\n\r\nImpact of workaround. There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Uninitialized Memory Corruption Vulnerability - CVE-2009-3673\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen Internet Explorer attempts to access an object that has not been initialized or has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as a logged-on user. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nThis vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nI am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? \r\nYes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.\r\n\r\nWhat does the update do? \r\nThe update modifies the way that Internet Explorer handles objects in memory.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nUninitialized Memory Corruption Vulnerability - CVE-2009-3674\r\n\r\nA remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-3674.\r\n\t\r\nMitigating Factors for Uninitialized Memory Corruption Vulnerability - CVE-2009-3674\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nBy default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.\r\n\u2022\t\r\n\r\nInternet Explorer 5.01 Service Pack 4, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 7 are not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Uninitialized Memory Corruption Vulnerability - CVE-2009-3674\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nSet Internet and Local intranet security zone settings to &quot;High&quot; to prompt before running ActiveX Controls and Active Scripting in these zones\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\n\u2022\t\r\n\r\nConfigure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\r\n\r\nYou can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Internet Options on the Tools menu.\r\n\r\n2.\r\n\t\r\n\r\nClick the Security tab.\r\n\r\n3.\r\n\t\r\n\r\nClick Internet, and then click Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nNote Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.\r\n\r\nImpact of workaround. There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone&quot;.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Uninitialized Memory Corruption Vulnerability - CVE-2009-3674\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen Internet Explorer attempts to access an object that has not been initialized or has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as a logged-on user. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker&#39;s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nThis vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nWhat does the update do? \r\nThe update modifies the way that Internet Explorer handles objects in memory.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nRyan Smith of Verisign IDefense Labs for reporting the ATL COM Initialization Vulnerability &#40;CVE-2009-2493&#41;\r\n\u2022\t\r\n\r\nSam Thomas of eshu.co.uk, working with TippingPoint and the Zero Day Initiative, for reporting the Uninitialized Memory Corruption Vulnerability &#40;CVE-2009-3671&#41;\r\n\u2022\t\r\n\r\nteam509, working with Verisign IDefense Labs, for reporting the HTML Object Memory Corruption Vulnerability &#40;CVE-2009-3672&#41;\r\n\u2022\t\r\n\r\nAn anonymous researcher, working with TippingPoint and the Zero Day Initiative, for reporting the Uninitialized Memory Corruption Vulnerability &#40;CVE-2009-3673&#41;\r\n\u2022\t\r\n\r\nAn anonymous researcher, working with TippingPoint and the Zero Day Initiative, for reporting the Uninitialized Memory Corruption Vulnerability &#40;CVE-2009-3674&#41;\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program &#40;MAPP&#41;\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program &#40;MAPP&#41; Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 &#40;December 8, 2009&#41;: Bulletin published.", "edition": 1, "cvss3": {}, "published": "2009-12-09T00:00:00", "title": "Microsoft Security Bulletin MS09-072 - Critical Cumulative Security Update for Internet Explorer &#40;976325&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3673", "CVE-2009-3674", "CVE-2009-2493", "CVE-2009-3671", "CVE-2009-3672"], "modified": "2009-12-09T00:00:00", "id": "SECURITYVULNS:DOC:22881", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22881", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:43:32", "description": "<html><body><p>Addresses vulnerabilities in the Active Template Libraries for the Microsoft Visual Studio that could allow remote code execution. Applies to systems with ActiveX controls installed that were built using Visual Studio Active Template Libraries.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS09-035. To view the complete security bulletin, visit one of the following Microsoft Web sites:<br/><br/><ul class=\"sbody-free_list\"><li>Home users:<br/><br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/updates/bulletins/200908.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/updates/bulletins/200908.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update Web site now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx\" id=\"kb-link-3\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\"> Prerequisites</h3> <br/>If you are running Windows Server 2003 Service Pack 2 (SP2), you must install update 973825 before you install this security update.<br/><br/><span>For more information about update 973825, click the following article number to view the article in the Microsoft Knowledge Base:<br/><br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973825\" id=\"kb-link-8\">973825 </a> Error message when you try to install a large Windows Installer package or a large Windows Installer patch package in Windows Server 2003 Service Pack 2: \"Error 1718 File was rejected by digital signature policy\"<br/><br/></div></span><h3 class=\"sbody-h3\">Additional information and known issues about this security update</h3><span>For more information about this security update, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/971089\" id=\"kb-link-9\">971089 </a>Description of the update for Microsoft Visual Studio .NET 2003 Service Pack 1: July 28, 2009<br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/971090\" id=\"kb-link-10\">971090 </a>Description of the update for Microsoft Visual Studio 2005 Service Pack 1: July 28, 2009<br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/971091\" id=\"kb-link-11\">971091 </a>Description of the update for Microsoft Visual Studio 2008: July 28, 2009<br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/971092\" id=\"kb-link-12\">971092 </a>Description of the update for Microsoft Visual Studio 2008 Service Pack 1: July 28, 2009<br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973544\" id=\"kb-link-13\">973544 </a> Description of the security update for Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package: July 28, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973552\" id=\"kb-link-14\">973552 </a> Description of the security update for Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package: July 28, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973551\" id=\"kb-link-15\">973551 </a> <br/>Description of the update for Microsoft Visual C++ 2008 Redistributable Package: July 28, 2009<br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973830\" id=\"kb-link-16\">973830 </a> <br/>Description of the update for Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools: July 28, 2009<br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973923\" id=\"kb-link-17\">973923 </a> Description of the security update for the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package (for previously installed versions): July 28, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973924\" id=\"kb-link-18\">973924 </a> Description of the security update for the Microsoft Visual C++ 2008 Redistributable Package (for previously installed versions): July 28, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973673\" id=\"kb-link-19\">973673 </a> MS09-035: Description of the ATL for Smart Devices security update for Visual Studio 2005 Service Pack 1: August 11, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973674\" id=\"kb-link-20\">973674 </a> MS09-035: Description of the ATL for Smart Devices security update for Visual Studio 2008: August 11, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973675\" id=\"kb-link-21\">973675 </a> MS09-035: Description of the ATL for Smart Devices security update for Visual Studio 2008 Service Pack 1: August 11, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/974616\" id=\"kb-link-22\">974616 </a> <br/>An update rollup is available for Windows Embedded CE 6.0 (December 2009)<br/></div></span><span>For more information about any known issues with specific releases of this software, click the following article number to view the article in the Microsoft Knowledge Base:<br/><br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/974054\" id=\"kb-link-23\">974054 </a> Symbol files (PDBs) are not updated after you install update 971090 or 973830 for Visual Studio 2005 Service Pack 1 or update 971089 for Visual Studio .NET 2003 Service Pack 1<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/974055\" id=\"kb-link-24\">974055 </a> <br/>Some DLL files are not updated when you install update 971091 for Visual Studio 2008<br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973825\" id=\"kb-link-25\">973825 </a> Error message when you try to install a large Windows Installer package or a large Windows Installer patch package in Windows Server 2003 Service Pack 2: \"Error 1718 File was rejected by digital signature policy\"<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/974479\" id=\"kb-link-26\">974479 </a> You receive a compile error in your ATL project after you install the Windows SDK 6.1 with Visual Studio 2008 Service Pack 1<br/><br/></div></span></div><h2>Additional affected products</h2><div class=\"kb-summary-section section\">In addition to the product versions that are specified in the \"Applies to\" section, this security update is meant to be used with the following products: <br/><br/><ul class=\"sbody-free_list\"><li>Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package</li><li>Microsoft Visual C++ 2008 Redistributable Package</li><li>Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools</li><li>Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package</li></ul></div></body></html>", "edition": 2, "cvss3": {}, "published": "2018-04-17T20:27:28", "type": "mskb", "title": "MS09-035: Vulnerabilities in Visual Studio Active Template Libraries could allow remote code execution", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2009-0901"], "modified": "2018-04-17T20:27:28", "id": "KB969706", "href": "https://support.microsoft.com/en-us/help/969706/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:48:11", "description": "<html><body><p>Resolves vulnerabilities in ATL that could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website.</p><h2></h2><div class=\"kb-notice-section section\"><span class=\"text-base\">Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: <a href=\"http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs\" id=\"kb-link-1\" target=\"_self\">Support is ending for some versions of Windows</a></span>.</div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS09-037. To view the complete security bulletin, visit one of the following Microsoft Web sites:<br/><br/><ul class=\"sbody-free_list\"><li>Home users:<br/><br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/updates/bulletins/200908.aspx\" id=\"kb-link-2\" target=\"_self\">http://www.microsoft.com/security/updates/bulletins/200908.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update Web site now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-3\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms09-037.mspx\" id=\"kb-link-4\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-5\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-6\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-7\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-8\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues and additional information about this security update</h3><span>For more information about this security update and for information about any known issues with specific releases of this software, click the following article number to view the article in the Microsoft Knowledge Base:<br/><br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973354\" id=\"kb-link-9\">973354 </a> MS09-037: Description of the security update for Outlook Express: August 11, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973507\" id=\"kb-link-10\">973507 </a> MS09-037: Description of the security update for the Active Template Library: August 11, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973540\" id=\"kb-link-11\">973540 </a> MS09-037: Description of the security update for Windows Media Player: August 11, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973815\" id=\"kb-link-12\">973815 </a> MS09-037: Description of the security update for Microsoft MSWebDVD ActiveX Control in Windows XP and Windows Server 2003: August 11, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973869\" id=\"kb-link-13\">973869 </a> MS09-037: Description of the security update for the DHTML editing component ActiveX control: August 11, 2009<br/><br/></div></span><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/973768\" id=\"kb-link-14\">973768 </a> <br/>MS09-037: Description of the security update for Microsoft HtmlInput Object ActiveX Control in Windows XP Media Center Edition, Windows Vista, and Windows Server 2008: August 11, 2009<br/></div></span></div></body></html>", "edition": 2, "cvss3": {}, "published": "2019-11-06T02:17:02", "type": "mskb", "title": "MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) could allow remote code execution", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2494", "CVE-2009-2493", "CVE-2008-0015", "CVE-2008-0020", "CVE-2009-0901"], "modified": "2019-11-06T02:17:02", "id": "KB973908", "href": "https://support.microsoft.com/en-us/help/973908/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-13T14:27:14", "description": "<html><body><p>Resolves a vulnerability that is currently being exploited in Microsoft Video ActiveX Control that could allow remote code execution if a user views a specially crafted Web page by using Internet Explorer, instantiating the ActiveX control.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS09-055. To view the complete security bulletin, visit one of the following Microsoft Web sites:<br/><br/><ul class=\"sbody-free_list\"><li>Home users:<br/><br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/updates/bulletins/200910.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/updates/bulletins/200910.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update Web site now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx\" id=\"kb-link-3\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/MS09-055.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Security update download packages</h3><span>The following files are available for download from the Microsoft Download Center:<br/></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows 7</h3><h4 class=\"sbody-h4\">For Windows 7 for 32-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=b64bcc14-38a7-45b9-8f85-acc573777506\" id=\"kb-link-8\" target=\"_self\">Download the Windows6.1-KB973525-x86.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows 7 for 64-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=809e29f3-ec68-4a2b-b04e-11759dd16001\" id=\"kb-link-9\" target=\"_self\">Download the Windows6.1-KB973525-x64.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows 7 IDX for 32-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=a731d92c-bb56-47ce-9003-14d76237ecef\" id=\"kb-link-10\" target=\"_self\">Download the Windows6.1-KB973525-v5-x86-IDX.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows 7 IDX for 64-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=bd1cf986-092d-4664-8931-7335a5642aa5\" id=\"kb-link-11\" target=\"_self\">Download the Windows6.1-KB973525-v5-x64-IDX.msu package now.</a></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows 7 Release Candidate</h3><h4 class=\"sbody-h4\">For Windows 7 Release Candidate for 32-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=39319682-6f6c-4331-b9f7-d959b6ceba73\" id=\"kb-link-12\" target=\"_self\">Download the Windows6.1-KB973525-x86-RC.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows 7 Release Candidate for 64-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=37f109a1-73ec-476d-9276-3ab45cf37def\" id=\"kb-link-13\" target=\"_self\">Download the Windows6.1-KB973525-x64-RC.msu package now.</a></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows Server 2008 R2</h3><h4 class=\"sbody-h4\">Windows Server 2008 R2 for Itanium-based Systems </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=85e76e55-3766-4ffe-9a18-8655de935b7c\" id=\"kb-link-14\" target=\"_self\">Download the Windows6.1-KB973525-ia64.msu package now.</a></span><h4 class=\"sbody-h4\">Windows Server 2008 R2 IDX for Itanium-based Systems </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=0a88d667-c519-46ab-9d75-87100b82fd33\" id=\"kb-link-15\" target=\"_self\">Download the Windows6.1-KB973525-v5-ia64-IDX.msu package now.</a></span><h4 class=\"sbody-h4\">Windows Server 2008 R2 x64 Edition </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=bcd2b944-6852-48f2-820b-cce7d195e391\" id=\"kb-link-16\" target=\"_self\">Download the Windows6.1-KB973525-x64.msu package now.</a></span><h4 class=\"sbody-h4\">Windows Server 2008 R2 IDX x64 Edition </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=f2115173-f5de-43fa-b6f0-991c3d31a0c4\" id=\"kb-link-17\" target=\"_self\">Download the Windows6.1-KB973525-v5-x64-IDX.msu package now.</a></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows Server 2008 R2 Release Candidate</h3><h4 class=\"sbody-h4\">For Windows 2008 R2 Release Candidate for Itanium-based Systems </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=184f93c3-dbbd-4560-a743-0fb536406f72\" id=\"kb-link-18\" target=\"_self\">Download the Windows6.1-KB973525-ia64-RC.msu package now.</a></span><h4 class=\"sbody-h4\">Windows Server 2008 R2 Release Candidate x64 Edition </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=c4c826b9-330a-4f4e-8594-656c0813e77d\" id=\"kb-link-19\" target=\"_self\">Download the Windows6.1-KB973525-x64-RC.msu package now.</a></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows Vista</h3><h4 class=\"sbody-h4\">For Windows Vista, 32-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=7313c03b-8844-4086-a0cc-43dfdb3ca48c\" id=\"kb-link-20\" target=\"_self\">Download the Windows6.0-KB973525-x86.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Vista, 64-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=7216bcb1-ff16-402b-ad1b-1500d46d0157\" id=\"kb-link-21\" target=\"_self\">Download the Windows6.0-KB973525-x64.msu package now.</a></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows Server 2008</h3><h4 class=\"sbody-h4\">For Windows Server 2008 for 32-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=51eb56fa-8204-45f3-86d7-6d03a2c8d78d\" id=\"kb-link-22\" target=\"_self\">Download the Windows6.0-KB973525-x86.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2008 for 64-bit versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=131b047a-ae93-4a99-83e5-71d5a79e96ea\" id=\"kb-link-23\" target=\"_self\">Download the Windows6.0-KB973525-x64.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2008 for Itanium-based systems </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=3d16c5bf-ee5c-4220-9755-5cb92eac2aae\" id=\"kb-link-24\" target=\"_self\">Download the Windows6.0-KB973525-ia64.msu package now.</a></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows Server 2003</h3><h4 class=\"sbody-h4\">For Windows Server 2003 Service Pack 2 </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=f3249c99-82e4-45dc-a254-28e647e822c8\" id=\"kb-link-25\" target=\"_self\">Download the WindowsServer2003-KB973525-x86-ENU.exe package now.</a></span><h4 class=\"sbody-h4\">Windows Server 2003 Service Pack 2, x64-based versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=1ad3f7b3-58d5-4507-ae20-a265e47cee9c\" id=\"kb-link-26\" target=\"_self\">Download the WindowsServer2003.WindowsXP-KB973525-x64-ENU.exe package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2003 with SP2 for Itanium-based systems</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=575e75d9-e348-4fbb-9eaa-43240e4d715e\" id=\"kb-link-27\" target=\"_self\">Download the WindowsServer2003-KB973525-ia64-ENU.exe package now.</a></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows XP</h3><h4 class=\"sbody-h4\">For Windows XP Service Pack 2 and Service Pack 3 </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=171d43d3-669c-4923-b266-e47591833c05\" id=\"kb-link-28\" target=\"_self\">Download the WindowsXP-KB973525-x86-ENU.exe package now.</a></span><h4 class=\"sbody-h4\">For Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=171d43d3-669c-4923-b266-e47591833c05\" id=\"kb-link-29\" target=\"_self\">Download the WindowsServer2003.WindowsXP-KB973525-x64-ENU.exe package now.</a></span><h3 class=\"sbody-h3\">Update for ActiveX Killbits for Windows 2000 SP4</h3><h4 class=\"sbody-h4\">For Internet Explorer 5.01 SP4 on Windows 2000 with Service Pack 4 </h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://www.microsoft.com/download/details.aspx?familyid=edfea805-9544-4dc0-a52c-d7594205657b\" id=\"kb-link-30\" target=\"_self\">Download the Windows2000-KB973525-x86-ENU.EXE package now.</a></span><br/><br/><span>Release Date: October 13, 2009<br/><br/>For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/119591\" id=\"kb-link-31\">119591 </a> How to obtain Microsoft support files from online services<br/></div>Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.<br/></span><h3 class=\"sbody-h3\">Security Update Deployment</h3><h4 class=\"sbody-h4\">Windows 2000 (all versions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue may be included in a future update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without requiring user intervention</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4:<br/>Windows2000-KB973525-x86-ENU/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4: <br/>Windows2000-KB973525-x86-ENU/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Update log file</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4:<br/>KB973525.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">More information</td><td class=\"sbody-td\">See the \"Detection and Deployment Tools and Guidance\" section. </td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4:<br/>Use the <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel, or use the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB973525$\\Spuninst folder.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4: <br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows 2000\\SP5\\KB973525\\Filelist</strong></td></tr></table></div><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the update</h5><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-32\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</div></span>This security update supports the following setup switches.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Supported security update installation switches </th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. </td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the/quiet switch or the/passive switch. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/overwriteoem</td><td class=\"sbody-td\">Overwrites OEM files without prompting</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/nobackup</td><td class=\"sbody-td\">Does not back up files that are needed for uninstallation</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/extract[:<strong class=\"sbody-strong\">path</strong>]</td><td class=\"sbody-td\">Extracts files, and the Setup program is not started</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/ER</td><td class=\"sbody-td\">Enables extended error reporting</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/verbose</td><td class=\"sbody-td\">Enables verbose logging. During installation, creates a %Windir%\\CabBuild.log. This log details the files that are copied. By using this switch, the installation may run slower. </td></tr></table></div><span class=\"text-base\">Note</span> You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses.<br/><span>For more information about the installation switches that are supported, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/262841\" id=\"kb-link-33\">262841 </a>Command-line switches for Windows software update packages<br/></div></span><h5 class=\"sbody-h5 text-subtitle\">Removing the update</h5>This security update supports the following setup switches.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\"> Supported Spuninst.exe switches</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. </td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files</td></tr></table></div><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><ul class=\"sbody-free_list\"><li><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and Deployment Tools and Guidance\" section for more information. </li><li><span class=\"text-base\">Registry subkey verification</span><br/><br/>You may also be able to verify the files that this security update has installed by reviewing the registry subkeys that are listed in the reference table in this section. These registry subkeys may not contain a complete list of files that are installed. Also, these registry subkeys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files. </li></ul><h3 class=\"sbody-h3\">Windows XP (all versions)</h3><h4 class=\"sbody-h4\">Reference table</h4>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue will be included in a future service pack or update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without requiring user intervention</td><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3:<br/>Windowsxp-KB973525-x86-enu/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions:<br/>WindowsServer2003.WindowsXP-KB973525-x64-enu/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3:<br/>Windowsxp-KB973525-x86-enu/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions:<br/>WindowsServer2003.WindowsXP-KB973525-x64-enu/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Update log file</td><td class=\"sbody-td\">All supported versions of Windows XP and Windows XP Professional:<br/>KB973525.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">More information</td><td class=\"sbody-td\">See the \"Detection and Deployment Tools and Guidance\" section</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">All supported versions of Windows XP and Windows XP Professional:<br/>Use the <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel, or use the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB973525$\\Spuninst folder.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB973525\\Filelist</strong></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows XP Version 2003\\SP3\\KB973525\\Filelist</strong></td></tr></table></div><span class=\"text-base\">Note</span> The security update for supported versions of Windows XP Professional x64 Edition is the same as the security update for supported versions of Windows Server 2003 x64 Edition.<br/><br/><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the update</h5><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-34\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</div></span>This security update supports the following setup switches.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. </td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/overwriteoem</td><td class=\"sbody-td\">Overwrites OEM files without prompting</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/nobackup</td><td class=\"sbody-td\">Does not back up files that are needed for uninstallation</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/integrate:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Integrates the update into the Windows source files. These files are located by using the path that is specified in the switch. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/extract[:<strong class=\"sbody-strong\">path</strong>]</td><td class=\"sbody-td\">Extracts files, and the Setup program is not started</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/ER</td><td class=\"sbody-td\">Enables extended error reporting</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/verbose</td><td class=\"sbody-td\">Enables verbose logging. During installation, creates a %Windir%\\CabBuild.log. This log details the files that are copied. By using this switch, the installation may run slower. </td></tr></table></div><span class=\"text-base\">Note</span> You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses.<br/><span>For more information about the supported installation switches, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/262841\" id=\"kb-link-35\">262841 </a>Command-line switches for Windows software update packages<br/></div></span><h5 class=\"sbody-h5 text-subtitle\">Removing the update</h5>This security update supports the following setup switches.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. </td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files</td></tr></table></div><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><ul class=\"sbody-free_list\"><li><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and Deployment Tools and Guidance\" section for more information. </li><li><span class=\"text-base\">Registry subkey verification</span><br/><br/>You may also be able to verify the files that this security update has installed by reviewing the registry subkeys listed in the reference table in this section. These registry subkeys may not contain a complete list of installed files. Also, these registry subkeys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files. </li></ul><h3 class=\"sbody-h3\">Windows Server 2003 (all versions)</h3><h4 class=\"sbody-h4\">Reference table</h4>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue will be included in a future service pack or update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing with requiring user intervention</td><td class=\"sbody-td\">Windows Server 2003 Service Pack 2:<br/>Windowsserver2003-KB973525-x86-enu /quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">Windows Server 2003 and Windows Server 2003 Service Pack 2, x64-based versions:<br/>WindowsServer2003.WindowsXP-KB973525-x64-enu /quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">Windows Server 2003 with SP2 for Itanium-based systems:<br/>Windowsserver2003-KB973525-ia64-enu /quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">Windows Server 2003 Service Pack 2:<br/>Windowsserver2003-KB973525-x86-enu /norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">Windows Server 2003 and Windows Server 2003 Service Pack 2, x64-based versions:<br/>WindowsServer2003.WindowsXP-KB973525-x64-enu /norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">Windows Server 2003 with SP2 for Itanium-based systems:<br/>Windowsserver2003-KB973525-ia64-enu /norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Update log file</td><td class=\"sbody-td\">All supported Windows Server 2003 x86-based versions, x64-based versions, and Itanium-based versions of Windows Server 2003:<br/>KB973525.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">More information</td><td class=\"sbody-td\">See the \"Detection and Deployment Tools and Guidance\" section</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">This security update does not support Hotpatching. For more information about Hotpatching, see Microsoft Knowledge Base Article 897341. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">All supported x86-based versions, x64-based versions, and Itanium-based versions of Windows Server 2003:<br/>Use the <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel, or use the Spuninst.exe utility that is located in the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB973525$\\Spuninst folder.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">All supported versions of Windows Server 2003:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows Server 2003\\SP3\\KB973525\\Filelist</strong></td></tr></table></div><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the Update</h5><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-36\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</div></span>This security update supports the following setup switches.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. </td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/overwriteoem</td><td class=\"sbody-td\">Overwrites OEM files without prompting</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/nobackup</td><td class=\"sbody-td\">Does not back up files that are needed for uninstallation</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/integrate:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Integrates the update into the Windows source files. These files are located by using the path that is specified in the switch. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/extract[:<strong class=\"sbody-strong\">path</strong>]</td><td class=\"sbody-td\">Extracts files, and the Setup program is not started</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/ER</td><td class=\"sbody-td\">Enables extended error reporting</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/verbose</td><td class=\"sbody-td\">Enables verbose logging. During installation, creates a %Windir%\\CabBuild.log. This log details the files that are copied. By using this switch, the installation may run slower. </td></tr></table></div><span class=\"text-base\">Note</span> You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses.<br/><span>For more information about the supported installation switches, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/262841\" id=\"kb-link-37\">262841 </a>Command-line switches for Windows software update packages<br/></div></span><h5 class=\"sbody-h5 text-subtitle\">Removing the update</h5>This security update supports the following setup switches.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. </td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files</td></tr></table></div><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><ul class=\"sbody-free_list\"><li><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and Deployment Tools and Guidance\" section for more information. </li><li><span class=\"text-base\">Registry subkey verification</span><br/><br/>You may also be able to verify the files that this security update has installed by reviewing the registry subkeys that are listed in the reference table in this section. These registry subkeys may not contain a complete list of installed files. Also, these registry subkeys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files. </li></ul><h3 class=\"sbody-h3\">Windows Vista (all versions)</h3><h4 class=\"sbody-h4\">Reference table</h4>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue will be included in a future service pack or update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without requiring user intervention</td><td class=\"sbody-td\">All supported 32-bit versions of Windows Vista:<br/>Windows6.0-KB973525-x86/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">All supported 64-bit versions of Windows Vista:<br/>Windows6.0-KB973525-x64/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">All supported 32-bit versions of Windows Vista:<br/>Windows6.0-KB973525-x86/quiet/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">All supported 64-bit versions of Windows Vista:<br/>Windows6.0-KB973525-x64/quiet/norestart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">Not applicable. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">WUSA.exe does not support the uninstallation of updates. To uninstall an update that is installed by WUSA, open Control Panel, and then click <strong class=\"uiterm\">Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.<br/></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">A registry subkey does not exist to validate the presence of this update. </td></tr></table></div><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the Update</h5>When you install this security update, the installer checks whether one or more of the files that are being updated on the system have previously been updated by a Microsoft hotfix.<br/><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-38\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</div></span>This security update supports the following setup switches.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Supported security update installation switches</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/?, /h, /help</td><td class=\"sbody-td\">Displays help on supported switches. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Suppresses the display of status or error messages. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">When this switch is combined with the /quiet switch, the system is not restarted after installation even if a restart is required to complete the installation. </td></tr></table></div><span>For more information about the installer, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/934307\" id=\"kb-link-39\">934307 </a>Description of the Windows Update Stand-alone Installer (Wusa.exe) and of .msu files in Windows Vista and in Windows Server 2008<br/></div></span><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><ul class=\"sbody-free_list\"><li><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and Deployment Tools and Guidance\" section for more information.</li></ul><h3 class=\"sbody-h3\">Windows Server 2008 (all versions)</h3><h4 class=\"sbody-h4\">Reference table</h4>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue will be included in a future service pack or update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without requiring user intervention</td><td class=\"sbody-td\">All supported 32-bit versions of Windows Server 2008:<br/>Windows6.0-KB973525-x86/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">All supported 64-bit versions of Windows Server 2008:<br/>Windows6.0-KB973525-x64/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">All supported Itanium-based versions of Windows Server 2008:<br/>Windows6.0-KB973525-ia64/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">All supported 32-bit versions of Windows Server 2008:<br/>Windows6.0-KB973525-x86/quiet/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">All supported 64-bit versions of Windows Server 2008:<br/>Windows6.0-KB973525-x64/quiet/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">All supported Itanium-based versions of Windows Server 2008:<br/>Windows6.0-KB973525-ia64/quiet/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">More information</td><td class=\"sbody-td\">See the \"Detection and Deployment Tools and Guidance\" section</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\"></th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">Not applicable. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">WUSA.exe does not support the uninstallation of updates. To uninstall an update that is installed by WUSA, open Control Panel, and then click <strong class=\"uiterm\">Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.<br/></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">A registry subkey does not exist to validate the presence of this update. </td></tr></table></div><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the Update</h5>When you install this security update, the installer checks whether one or more of the files that are being updated on the system have previously been updated by a Microsoft hotfix.<br/><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-40\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</div></span>This security update supports the following setup switches:<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/?, /h, /help</td><td class=\"sbody-td\">Displays help on supported switches. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Suppresses the display of status or error messages. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">When you combine this switch with the /quiet switch, the system is not restarted after installation even if a restart is required to complete installation. </td></tr></table></div><span>For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/934307\" id=\"kb-link-41\">934307 </a>Description of the Windows Update Stand-alone Installer (Wusa.exe) and of .msu files in Windows Vista and in Windows Server 2008<br/></div></span><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and Deployment Tools and Guidance\" section for more information.<br/><br/><h3 class=\"sbody-h3\">Detection and Deployment Tools and Guidance</h3>This section describes how to manage the software and security updates that you have to deploy to the servers, to the desktop computers, and to the mobile computers in your organization. For more information, visit the following Microsoft TechNet Update Management Center Web page:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/updatemanagement/default.aspx\" id=\"kb-link-42\" target=\"_self\">http://technet.microsoft.com/en-us/updatemanagement/default.aspx</a></div>For more information about security in Microsoft products, visit the following Microsoft TechNet Security Web page:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/security/default.aspx\" id=\"kb-link-43\" target=\"_self\">http://technet.microsoft.com/en-us/security/default.aspx</a></div>Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for \"security update.\"<br/><br/>Finally, security updates can be downloaded from the Microsoft Update Catalog. For more information, visit the following Microsoft Web page:<br/><div class=\"indent\"><a href=\"http://catalog.update.microsoft.com/v7/site/home.aspx\" id=\"kb-link-44\" target=\"_self\">http://catalog.update.microsoft.com/v7/site/Home.aspx</a></div>The Microsoft Update Catalog provides a catalog of content that is searchable and that is available through Windows Update and through Microsoft Update. This content includes security updates, drivers, and service packs. By using a security bulletin number such as \"MS08-010\" for your search, you can add all the applicable updates to your basket. You can also add different languages for an update to your basket, and you can download the content to any folder that you want. For more information about the Microsoft Update Catalog, visit the following Microsoft Update Catalog FAQ Web page:<br/><div class=\"indent\"><a href=\"http://catalog.update.microsoft.com/v7/site/faq.aspx\" id=\"kb-link-45\" target=\"_self\">http://catalog.update.microsoft.com/v7/site/faq.aspx</a></div><h4 class=\"sbody-h4\">Detection and Deployment Guidance</h4>Microsoft has provided detection and deployment guidance for this month's security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update. These tools include Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), and the Extended Security Update Inventory Tool.<br/><span>For more information, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/910723\" id=\"kb-link-46\">910723 </a>Summary list of monthly detection and deployment guidance articles<br/></div></span><h4 class=\"sbody-h4\">Microsoft Baseline Security Analyzer</h4>Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates. The Microsoft Baseline Security Analyzer can also identify common security misconfigurations. For more information, visit the following Microsoft Baseline Security Analyzer Web page:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/security/cc184924.aspx\" id=\"kb-link-47\" target=\"_self\">http://technet.microsoft.com/en-us/security/cc184924.aspx</a></div>The following table provides the MBSA detection summary for this security update:<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Software</th><th class=\"sbody-th\">MBSA 2.1</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows 2000 with Service Pack 4 </td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 Service Pack 2</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 and Windows Server 2003 Service Pack 2, x64-based versions</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 with SP2 for Itanium-based systems</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Vista and Windows Vista Service Pack 1</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Vista and Windows Vista Service Pack 1, 64-bit versions </td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for 32-bit systems</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for 64-bit systems</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for Itanium-based systems</td><td class=\"sbody-td\">Yes</td></tr></table></div>For more information about MBSA 2.1, visit the following Microsoft MBSA 2.1 Frequently Asked Questions Web page:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/security/cc184922.aspx\" id=\"kb-link-48\" target=\"_self\"> http://technet.microsoft.com/en-us/security/cc184922.aspx</a></div><h4 class=\"sbody-h4\">Windows Server Update Services</h4>By using Windows Server Update Services (WSUS), administrators can deploy the latest critical updates and security updates for Windows 2000 operating systems and later versions, for Microsoft Office XP and later versions, for Microsoft Exchange Server 2003, and for Microsoft SQL Server 2000 and later versions. For more information about how to deploy this security update by using Windows Server Update Services, visit the following Microsoft Windows Server Update Services Product Overview Web page:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/wsus/bb466208.aspx\" id=\"kb-link-49\" target=\"_self\"> http://technet.microsoft.com/en-us/wsus/bb466208.aspx</a></div><h4 class=\"sbody-h4\">Systems Management Server</h4>The following table provides the SMS detection and deployment summary for this security update.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Software</th><th class=\"sbody-th\">SMS 2.0</th><th class=\"sbody-th\">SMS 2003 with SUSFP</th><th class=\"sbody-th\">SMS 2003 with ITMU</th><th class=\"sbody-th\">ConfigMgr 2007</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows 2000 with Service Pack 4 </td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 Service Pack 2</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 and Windows Server 2003 Service Pack 2, x64-based versions</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 with SP2 for Itanium-based systems</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Vista and Windows Vista Service Pack 1</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Vista and Windows Vista Service Pack 1, 64-bit versions</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for 32-bit systems</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for 64-bit systems</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for Itanium-based systems</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr></table></div>For SMS 2.0 and for SMS 2003, the SMS SUS Feature Pack (SUSFP) that includes the Security Update Inventory Tool (SUIT) can be used by SMS to detect security updates. For more information, visit the following Microsoft Web page for Downloads for Systems Management Server 2.0:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/sms/bb676799.aspx\" id=\"kb-link-50\" target=\"_self\"> http://technet.microsoft.com/en-us/sms/bb676799.aspx</a></div>For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, visit the following Microsoft Web page for SMS 2003 Inventory Tool for Microsoft Updates:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/sms/bb676783.aspx\" id=\"kb-link-51\" target=\"_self\"> http://technet.microsoft.com/en-us/sms/bb676783.aspx</a></div>SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications. For more information, visit the following Microsoft Web pages:<br/><br/><ul class=\"sbody-free_list\"><li>Systems Management Server 2003 Software Update Scanning Tools<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/sms/bb676786.aspx\" id=\"kb-link-52\" target=\"_self\"> http://technet.microsoft.com/en-us/sms/bb676786.aspx</a></div></li><li>Downloads for Systems Management Server 2003<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/sms/bb676766.aspx\" id=\"kb-link-53\" target=\"_self\"> http://technet.microsoft.com/en-us/sms/bb676766.aspx</a></div></li></ul>System Center Configuration Manager (ConfigMgr) 2007 uses WSUS 3.0 for detection of updates. For more information about ConfigMgr 2007 Software Update Management, visit the following Microsoft Web page:\u00a0<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/library/bb735860.aspx\" id=\"kb-link-54\" target=\"_self\"> http://technet.microsoft.com/en-us/library/bb735860.aspx</a></div><span class=\"text-base\">Note for Windows Vista and for Windows Server 2008</span><br/><br/>Microsoft Systems Management Server 2003 with Service Pack 3 includes support for Windows Vista and for Windows Server 2008. For more information about SMS, visit the following Microsoft SMS Web page:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/smserver/default.mspx\" id=\"kb-link-55\" target=\"_self\"> http://www.microsoft.com/smserver/default.mspx</a></div><span>For more information about detection and deployment guidance articles, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/910723\" id=\"kb-link-56\">910723 </a>Summary list of monthly detection and deployment guidance articles<br/></div></span></div></body></html>", "edition": 2, "cvss3": {}, "published": "2020-04-13T02:02:28", "type": "mskb", "title": "MS09-055: Cumulative Security Update of ActiveX Kill Bits", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2493"], "modified": "2020-04-13T02:09:34", "id": "KB973525", "href": "https://support.microsoft.com/en-us/help/973525/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_security": [{"lastseen": "2022-05-24T03:30:58", "description": "Symptoms\n\n * Vulnerabilities in Visual Studio Active Template Library allow remote attackers to execute arbitrary code. For more details refer to: \n \n\n * [MS09-035 [http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx]](<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>)\n \n\n * [CVE-2009-0901 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0901]](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0901>)\n \n\n * [CVE-2009-2495 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2495]](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2495>)\n \n\n * [CVE-2009-2493 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2493]](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2493>)\n\nSolution\n\nAll Check Point products and versions are not affected by this vulnerability. \n", "cvss3": {}, "published": "2009-08-09T07:00:00", "type": "checkpoint_security", "title": "Check Point response to Vulnerabilities in Visual Studio Active Template Library (MS09-035)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0901", "CVE-2009-2493", "CVE-2009-2495"], "modified": "2009-08-09T07:00:00", "id": "CPS:SK42545", "href": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42545", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2021-06-08T18:56:11", "description": "Information about this advisory is available at the following locations:\n\n<http://www.kb.cert.org/vuls/id/456745> \n<http://www.microsoft.com/technet/security/advisory/973882.mspx> \n<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx> \n<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx> \n<http://msdn.microsoft.com/en-us/visualc/ee309358.aspx>\n\nF5 Product Development tracked this issue as ID 296507 (formerly CR125945) for FirePass, and it was fixed in FirePass 6.1.0. For information about upgrading, refer to the [FirePass](<https://support.f5.com/content/kb/en-us/products/firepass.html>) release notes.\n\nObtaining and installing patches\n\nThis issue was fixed in cumulative hotfix HF-603-5 issued for FirePass 6.0.3. You may download this hotfix or later versions of the cumulative hotfix from the F5 [Downloads](<https://downloads.f5.com/esd/index.jsp>) site.\n\nAdditionally, this issue was fixed in a hotfix issued for FirePass 5.5.2 and 6.0.2. Customers affected by this issue should contact [F5 Technical Support](<http://www.f5.com/training-support/customer-support/contact/>) to request the hotfix. When contacting F5 Technical Support, be sure to include the CR number and the article number\u00c2 in your correspondence.\n", "cvss3": {}, "published": "2009-08-17T00:00:00", "type": "f5", "title": "SOL10441 - Microsoft Active Template Library (ATL) vulnerabilities VU#456745", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2495", "CVE-2009-2493", "CVE-2008-0015", "CVE-2009-0901"], "modified": "2016-07-25T00:00:00", "id": "SOL10441", "href": "http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10441.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2021-06-08T13:26:39", "description": "\n", "edition": 2, "cvss3": {}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "APSB09-10: Security updates available for Adobe Flash Player (CVE-2009-2493)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2493"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/ADOBE-FLASH-APSB09-10-CVE-2009-2493/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T13:43:26", "description": "\n", "edition": 2, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "APSB09-10: Security updates available for Adobe Flash Player (CVE-2009-2495)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2495"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/ADOBE-FLASH-APSB09-10-CVE-2009-2495/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-06-08T13:25:43", "description": "\n", "edition": 2, "cvss3": {}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "APSB09-10: Security updates available for Adobe Flash Player (CVE-2009-0901)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0901"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/ADOBE-FLASH-APSB09-10-CVE-2009-0901/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:43:28", "description": "ActiveX controls are reusable software components based on Microsoft Component Object Model (COM). A remote code execution vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to an error in several Microsoft Outlook View ActiveX controls. To trigger this issue, an attacker can create a malicious web page that initiates the vulnerable COM Objects. Successful exploitation of this vulnerability allows execution of arbitrary code on the vulnerable system.", "cvss3": {}, "published": "2009-10-01T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Outlook View ActiveX Controls Remote Code Execution (MS09-055; CVE-2009-2493)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2493"], "modified": "2009-10-13T00:00:00", "id": "CPAI-2009-198", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:44:38", "description": "Microsoft Active Template Library (ATL) is a set of template-based C++ classes developed to help simplify the programming of Component Object Model (COM) objects. The COM support in Microsoft Visual C++ allows developers to create a variety of COM objects, OLE Automation servers, and ActiveX controls. ATL is an object-based library that contains many types of classes. There is a remote code execution vulnerability in Microsoft Active Template Library (ATL). The vulnerability is due to an error in the way certain ATL headers are handled. In certain cases it is possible to force VariantClear to be called on a VARIANT that has not been correctly initialized. Remote attackers can exploit this issue by enticing target users to visit a malicious web page, potentially causing arbitrary code to be injected and executed in the security context of the current logged on user. In case of an attack where code injection and execution is successful, the behavior of the target machine is dependent on the intended purpose of the malicious code. Any code injected would run in the security context of the logged-on user", "cvss3": {}, "published": "2010-06-02T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft ATL Uninitialized Object Code Execution (MS09-037; CVE-2009-0901)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0901"], "modified": "2010-06-02T00:00:00", "id": "CPAI-2009-410", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:39:44", "description": "The Active Template Library (ATL) is a set of template-based C++ classes that simplify the programming of Component Object Model (COM) objects. Multiple remote code execution vulnerabilities have been reported in the Microsoft ATL. The vulnerabilities are due to an error in the Load method of the IPersistStreamInit interface and to a bug in the ATL header that could allow reading a variant from a stream and leaving the variant type read with an invalid variant. A remote attacker could exploit these issues by convincing a user to visit a malicious Web page. Successful exploitation of this issue could allow remote code execution on the affected system.", "cvss3": {}, "published": "2009-09-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft ATL Multiple ActiveX Remote Code Executions (MS09-037; CVE-2008-0020; CVE-2009-2493; CVE-2009-2494)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-0020", "CVE-2009-2493", "CVE-2009-2494"], "modified": "2016-03-06T00:00:00", "id": "CPAI-2009-179", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-05T00:11:42", "description": "Multiple remote code execution vulnerabilities have been reported in Microsoft Office Web Components ActiveX Controls. Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web. A remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted Web page. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {}, "published": "2009-07-13T00:00:00", "type": "checkpoint_advisories", "title": "Update Protection against Microsoft Office Web Components Multiple ActiveX Controls Remote Code Execution Vulnerability (MS09-043)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0562", "CVE-2009-1136", "CVE-2009-1534", "CVE-2009-2493", "CVE-2009-2496"], "modified": "2009-10-13T00:00:00", "id": "CPAI-2009-121", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:45:18", "description": "Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web. A remote code execution vulnerability has been reported in Microsoft Office Web Components. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {}, "published": "2008-03-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Office Web Components Multiple Buffer Overflows (MS08-017; CVE-2006-4695; CVE-2007-1201; CVE-2009-0562; CVE-2009-1136; CVE-2009-1534; CVE-2009-2493; CVE-2009-2496)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-4695", "CVE-2007-1201", "CVE-2009-0562", "CVE-2009-1136", "CVE-2009-1534", "CVE-2009-2493", "CVE-2009-2496"], "modified": "2016-08-07T00:00:00", "id": "CPAI-2008-035", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:41:57", "description": "Bugraq ID: 35828\r\nCVE ID\uff1aCVE-2009-2493\r\n\r\nMicrosoft Visual Studio\u662f\u4e00\u6b3e\u5fae\u8f6f\u516c\u53f8\u7684\u5f00\u53d1\u5de5\u5177\u5957\u4ef6\u7cfb\u5217\u4ea7\u54c1\u3002\r\nMicrosoft\u6d3b\u52a8\u6a21\u7248\u5e93(ATL)\u5904\u7406\u6570\u636e\u6d41\u5bf9\u8c61\u5b9e\u4f8b\u5316\u65f6ATL\u5934\u5b58\u5728\u9519\u8bef\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u7ed5\u8fc7IE\u7b49Kill-bits\u5b89\u5168\u7b56\u7565\uff0c\u5e76\u5bfc\u81f4\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\r\n\u6b64\u6f0f\u6d1e\u53ea\u5f71\u54cd\u5b89\u88c5\u4e86\u4f7f\u7528Visual Studio ATL\u7684\u7ec4\u4ef6\u548c\u63a7\u4ef6\u7684\u7cfb\u7edf\u3002\u5982\u679c\u7ec4\u4ef6\u6216\u63a7\u4ef6\u4f7f\u7528ATL\uff0c\u4e0d\u5b89\u5168\u4f7f\u7528OleLoadFromStream\u5141\u8bb8\u4efb\u610f\u5bf9\u8c61\u5b9e\u4f8b\u5316\uff0c\u53ef\u7ed5\u8fc7\u76f8\u5173\u7684\u5b89\u5168\u7b56\u7565\uff0c\u5982 Internet Explorer\u7684Kill bits\u4f4d\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u5efa\u6076\u610fWEB\u9875\uff0c\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u6765\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nMicrosoft Visual Studio 2008 SP1\r\nMicrosoft Visual Studio 2008 0\r\nMicrosoft Visual Studio 2005 Team Edition for Testers 0\r\nMicrosoft Visual Studio 2005 Team Edition for Developers 0\r\nMicrosoft Visual Studio 2005 Team Edition for Architects 0\r\nMicrosoft Visual Studio 2005 Team Edition 0\r\nMicrosoft Visual Studio 2005 Standard Edition 0\r\nMicrosoft Visual Studio 2005 Professional Edition 0\r\nMicrosoft Visual Studio 2005 64-bit Hosted Visual C++ Tools SP1\r\nMicrosoft Visual Studio 2005 SP1\r\nMicrosoft Visual Studio .NET 2003\r\n+ Microsoft Visual Basic .NET Standard 2003\r\n+ Microsoft Visual C# .NET Standard 2003\r\n+ Microsoft Visual C++ .NET Standard 2003\r\n+ Microsoft Visual J# .NET Standard 2003\r\nMicrosoft Visual Studio .NET 2003 SP1\r\nMicrosoft Visual C++ 2008 Redistributable Package SP1\r\nMicrosoft Visual C++ 2008 Redistributable Package 0\r\nMicrosoft Visual C++ 2008 SP1\r\nMicrosoft Visual C++ 2008 0\r\nMicrosoft Visual C++ 2005 Redistributable Package SP1\r\nMicrosoft Visual C++ 2005 Redistributable Package SP1\r\nMicrosoft Visual C++ 2005 Redistributable Package 0\r\nMicrosoft Visual C++ 2005 SP1\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5b89\u5168\u8865\u4e01\uff1a\r\nMicrosoft Visual C++ 2005 SP1\r\nMicrosoft Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=766a6af7-ec73 -40ff-b072-9112bab119c2\r\nMicrosoft Visual Studio .NET 2003 SP1\r\nMicrosoft Visual Studio .NET 2003 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=63ce454e-f69c -44e3-89fb-eb23c2e2154e\r\nMicrosoft Visual Studio 2005 SP1\r\nMicrosoft Visual Studio 2005 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7c8729dc-06a2 -4538-a90d-ff9464dc0197\r\nMicrosoft Visual C++ 2008 SP1\r\nMicrosoft Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5 -4b0a-a8f5-770a549fd78c\r\nMicrosoft Visual Studio 2008 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=294de390-3c94 -49fb-a014-9a38580e64cb\r\nMicrosoft Visual Studio 2005 64-bit Hosted Visual C++ Tools SP1\r\nMicrosoft Visual Studio 64-bit Hosted Visual C++ Tools 2005 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=43f96f2a-69c6 -4c5e-b72c-0edfa35f4fc2\r\nMicrosoft Visual C++ 2008 0\r\nMicrosoft Microsoft Visual C++ 2008 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=8b29655e-9da4 -4b6b-9ac5-687ca0770f93\r\nMicrosoft Visual Studio 2008 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=8f9da646-94dd -469d-baea-a4306270462c", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "seebug", "title": "Microsoft Visual Studio ATL COM\u5bf9\u8c61\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-2493"], "modified": "2009-07-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11914", "id": "SSV:11914", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:42:05", "description": "Bugraq ID: 35830\r\nCVE ID\uff1aCVE-2009-2495\r\n\r\nMicrosoft Visual Studio\u662f\u4e00\u6b3e\u5fae\u8f6f\u516c\u53f8\u7684\u5f00\u53d1\u5de5\u5177\u5957\u4ef6\u7cfb\u5217\u4ea7\u54c1\u3002\r\nMicrosoft\u6d3b\u52a8\u6a21\u7248\u5e93(ATL)\u5b58\u5728\u4e00\u4e2a\u9519\u8bef\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u83b7\u5f97\u654f\u611f\u4fe1\u606f\u3002\r\nMicrosoft\u6d3b\u52a8\u6a21\u7248\u5e93(ATL)\u8bfb\u53d6\u5b57\u7b26\u4e32\u65f6\u6ca1\u6709\u4f7f\u7528\u7ec8\u6b62NULL\u5b57\u7b26\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u64cd\u4f5c\u8fd9\u4e2a\u5b57\u7b26\u4e32\u8bfb\u53d6\u989d\u5916\u7684\u6570\u636e\u800c\u83b7\u53d6\u5185\u5b58\u4e2d\u7684\u654f\u611f\u4fe1\u606f\u3002\u6b64\u6f0f\u6d1e\u53ea\u5f71\u54cd\u5b89\u88c5\u4e86\u4f7f\u7528Visual Studio ATL\u7684\u7ec4\u4ef6\u548c\u63a7\u4ef6\u7684\u7cfb\u7edf\u3002\u653b\u51fb\u8005\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u5141\u8bb8\u8fd0\u884c\u6076\u610f\u7ec4\u4ef6\u6216\u63a7\u4ef6\u6765\u83b7\u5f97\u654f\u611f\u4fe1\u606f\uff0c\u628a\u7528\u6237\u6570\u636e\u8f6c\u5411\u5230\u7b2c\u4e09\u65b9\u6216\u8bbf\u95ee\u53d7\u5f71\u54cd\u7cfb\u7edf\u4e0a\u7684\u4efb\u610f\u6570\u636e\u3002\n\nMicrosoft Visual Studio 2008 SP1\r\nMicrosoft Visual Studio 2008 0\r\nMicrosoft Visual Studio 2005 Team Edition for Testers 0\r\nMicrosoft Visual Studio 2005 Team Edition for Developers 0\r\nMicrosoft Visual Studio 2005 Team Edition for Architects 0\r\nMicrosoft Visual Studio 2005 Team Edition 0\r\nMicrosoft Visual Studio 2005 Standard Edition 0\r\nMicrosoft Visual Studio 2005 Professional Edition 0\r\nMicrosoft Visual Studio 2005 Premier Partner Edition - ENU 8.0.50727 .42\r\nMicrosoft Visual Studio 2005 64-bit Hosted Visual C++ Tools SP1\r\nMicrosoft Visual Studio 2005 SP1\r\nMicrosoft Visual Studio 2005\r\nMicrosoft Visual Studio .NET 2003 SP1\r\nMicrosoft Visual C++ 2008 SP1\r\nMicrosoft Visual C++ 2008 0\r\nMicrosoft Visual C++ 2005 SP1\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5b89\u5168\u8865\u4e01\uff1a\r\nMicrosoft Visual C++ 2005 SP1\r\nMicrosoft Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=766a6af7-ec73 -40ff-b072-9112bab119c2\r\nMicrosoft Visual Studio .NET 2003 SP1\r\nMicrosoft Visual Studio .NET 2003 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=63ce454e-f69c -44e3-89fb-eb23c2e2154e\r\nMicrosoft Visual Studio 2005 SP1\r\nMicrosoft Visual Studio 2005 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7c8729dc-06a2 -4538-a90d-ff9464dc0197\r\nMicrosoft Visual C++ 2008 SP1\r\nMicrosoft Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5 -4b0a-a8f5-770a549fd78c\r\nMicrosoft Visual Studio 2008 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=294de390-3c94 -49fb-a014-9a38580e64cb\r\nMicrosoft Visual Studio 2005 64-bit Hosted Visual C++ Tools SP1\r\nMicrosoft Visual Studio 64-bit Hosted Visual C++ Tools 2005 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=43f96f2a-69c6 -4c5e-b72c-0edfa35f4fc2\r\nMicrosoft Visual C++ 2008 0\r\nMicrosoft Microsoft Visual C++ 2008 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=8b29655e-9da4 -4b6b-9ac5-687ca0770f93\r\nMicrosoft Visual Studio 2008 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=8f9da646-94dd -469d-baea-a4306270462c", "published": "2009-07-29T00:00:00", "type": "seebug", "title": "Microsoft Visual Studio ATL NULL\u5b57\u7b26\u4e32\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2495"], "modified": "2009-07-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11915", "id": "SSV:11915", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T18:41:46", "description": "Bugraq ID: 35832\r\nCVE ID\uff1aCVE-2009-0901\r\nCNCVE ID\uff1aCNCVE-20090901\r\n\r\nMicrosoft Visual Studio\u662f\u4e00\u6b3e\u5fae\u8f6f\u516c\u53f8\u7684\u5f00\u53d1\u5de5\u5177\u5957\u4ef6\u7cfb\u5217\u4ea7\u54c1\u3002\r\nMicrosoft\u6d3b\u52a8\u6a21\u7248\u5e93(ATL)\u5904\u7406ATL\u5934\u5b57\u6bb5\u5b58\u5728\u95ee\u9898\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\nATL\u5934\u5b57\u6bb5\u5b58\u5728\u7684\u4e00\u4e2a\u9519\u8bef\u5141\u8bb8\u653b\u51fb\u8005\u5bf9\u672a\u6b63\u786e\u521d\u59cb\u5316\u7684VARIANT\u8fdb\u884cVariantClear\u8c03\u7528\uff0c\u57fa\u4e8e\u6b64\u653b\u51fb\u8005\u53ef\u4ee5\u63d0\u4f9b\u7834\u574f\u7684\u6d41\u89e6\u53d1\u9519\u8bef\u5904\u7406\u8fc7\u7a0b\u4e2d\u6765\u8c03\u7528VariantClear\u800c\u63a7\u5236\u6574\u4e2a\u6d41\u7a0b\u3002\u6b64\u6f0f\u6d1e\u53ea\u5f71\u54cd\u5b89\u88c5\u4e86\u4f7f\u7528Visual Studio ATL\u7684\u7ec4\u4ef6\u548c\u63a7\u4ef6\u7684\u7cfb\u7edf\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u5efa\u6076\u610fWEB\u9875\uff0c\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u6765\u89e6\u53d1\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\n\nMicrosoft Visual Studio 2008 SP1\r\nMicrosoft Visual Studio 2008 0\r\nMicrosoft Visual Studio 2005 64-bit Hosted Visual C++ Tools SP1\r\nMicrosoft Visual Studio 2005 SP1\r\nMicrosoft Visual Studio .NET 2003 SP1\r\nMicrosoft Visual C++ 2008 Redistributable Package SP1\r\nMicrosoft Visual C++ 2008 Redistributable Package 0\r\nMicrosoft Visual C++ 2008 SP1\r\nMicrosoft Visual C++ 2008 0\r\nMicrosoft Visual C++ 2005 Redistributable Package SP1\r\nMicrosoft Visual C++ 2005 Redistributable Package 0\r\nMicrosoft Visual C++ 2005 SP1\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5b89\u5168\u8865\u4e01\uff1a\r\nMicrosoft Visual C++ 2005 SP1\r\nMicrosoft Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=766a6af7-ec73 -40ff-b072-9112bab119c2\r\nMicrosoft Visual Studio .NET 2003 SP1\r\nMicrosoft Visual Studio .NET 2003 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=63ce454e-f69c -44e3-89fb-eb23c2e2154e\r\nMicrosoft Visual Studio 2005 SP1\r\nMicrosoft Visual Studio 2005 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7c8729dc-06a2 -4538-a90d-ff9464dc0197\r\nMicrosoft Visual C++ 2008 SP1\r\nMicrosoft Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5 -4b0a-a8f5-770a549fd78c\r\nMicrosoft Visual Studio 2008 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=294de390-3c94 -49fb-a014-9a38580e64cb\r\nMicrosoft Visual C++ 2008 0\r\nMicrosoft Microsoft Visual C++ 2008 Redistributable Package ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=8b29655e-9da4 -4b6b-9ac5-687ca0770f93\r\nMicrosoft Visual Studio 2008 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=8f9da646-94dd -469d-baea-a4306270462c\r\nMicrosoft Visual Studio 2005 64-bit Hosted Visual C++ Tools SP1\r\nMicrosoft Visual Studio 64-bit Hosted Visual C++ Tools 2005 Service Pack 1 ATL Security Update\r\nhttp://www.microsoft.com/downloads/details.aspx?FamilyID=43f96f2a-69c6 -4c5e-b72c-0edfa35f4fc2", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "seebug", "title": "Microsoft Visual Studio ATL 'VariantClear()'\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-0901"], "modified": "2009-07-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11913", "id": "SSV:11913", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T21:30:45", "description": "The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka \"ATL COM Initialization Vulnerability.\"", "cvss3": {}, "published": "2009-07-29T17:30:00", "type": "cve", "title": "CVE-2009-2493", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2493"], "modified": "2018-10-12T21:51:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:*", "cpe:/a:microsoft:visual_studio:2003", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_2003_server:*", "cpe:/a:microsoft:visual_c\\+\\+:2008", "cpe:/a:microsoft:visual_studio:2005", "cpe:/o:microsoft:windows_xp:*", "cpe:/a:microsoft:visual_c\\+\\+:2005", "cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_vista:-", "cpe:/a:microsoft:visual_studio:2008"], "id": "CVE-2009-2493", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2493", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2008:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2008:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2005:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_c\\+\\+:2008:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_c\\+\\+:2008:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_c\\+\\+:2005:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2003:sp1:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:30:45", "description": "The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1 does not properly enforce string termination, which allows remote attackers to obtain sensitive information via a crafted HTML document with an ATL (1) component or (2) control that triggers a buffer over-read, related to ATL headers and buffer allocation, aka \"ATL Null String Vulnerability.\"", "cvss3": {}, "published": "2009-07-29T17:30:00", "type": "cve", "title": "CVE-2009-2495", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2495"], "modified": "2018-10-12T21:51:00", "cpe": ["cpe:/a:microsoft:visual_c\\+\\+:2008", "cpe:/a:microsoft:visual_studio:2005", "cpe:/a:microsoft:visual_c\\+\\+:2005", "cpe:/a:microsoft:visual_studio_.net:2003", "cpe:/a:microsoft:visual_studio:2008"], "id": "CVE-2009-2495", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2495", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:visual_c\\+\\+:2008:redistribution_pkg:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2008:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2008:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2005:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2005:sp1:64_bit_hosted_visual_c\\+\\+_tools:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_c\\+\\+:2005:sp1_redistribution_pkg:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_c\\+\\+:2008:sp1_redistribution_pkg:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:24:11", "description": "The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka \"ATL Uninitialized Object Vulnerability.\"", "cvss3": {}, "published": "2009-07-29T17:30:00", "type": "cve", "title": "CVE-2009-0901", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0901"], "modified": "2018-10-12T21:50:00", "cpe": ["cpe:/a:microsoft:visual_c\\+\\+:2008", "cpe:/a:microsoft:visual_studio:2005", "cpe:/a:microsoft:visual_c\\+\\+:2005", "cpe:/a:microsoft:visual_studio_.net:2003", "cpe:/a:microsoft:visual_studio:2008"], "id": "CVE-2009-0901", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0901", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:visual_studio:2008:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_c\\+\\+:2008:sp1_redistribution_pkg:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2008:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2005:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2005:sp1:64_bit_hosted_visual_c\\+\\+_tools:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_c\\+\\+:2005:sp1_redistribution_pkg:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_c\\+\\+:2008:redistribution_pkg:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2021-07-28T14:33:24", "description": "Added: 07/30/2009 \nCVE: [CVE-2009-0901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0901>) \nBID: [35832](<http://www.securityfocus.com/bid/35832>) \nOSVDB: [56696](<http://www.osvdb.org/56696>) \n\n\n### Background\n\nMicrosoft [Visual Studio](<http://msdn.microsoft.com/vstudio/>) is a product to assist with software development in the Windows operating system. Visual Studio uses Microsoft Active Template Library (ATL), which is a set of template-based C++ classes, to help simplify the programming of Component Object Model (COM) objects. \n\n### Problem\n\nA flaw in the way the Microsoft Active Template Library (ATL) handles certain ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized, leading to command execution when a user opens a specially crafted web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-035](<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx> \n\n\n### Limitations\n\nExploit works on Microsoft Visual Studio 2005 and requires a user to load the exploit page in Internet Explorer 6 or 7. In order for the exploit to succeed, Internet Explorer must have the option \"Initialize and script ActiveX controls not marked as safe\" set to \"Enable\", because the affected ActiveX control is marked not safe. Also note that, due to the nature of the vulnerability, the exploit only works when the exploit server is specified as an IP address rather than a host/domain name. \n\n### Platforms\n\nWindows XP \n \n\n", "cvss3": {}, "published": "2009-07-30T00:00:00", "type": "saint", "title": "Visual Studio Active Template Library uninitialized object", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0901"], "modified": "2009-07-30T00:00:00", "id": "SAINT:E5E9F70E1B7AAA88D827C4D32190B250", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/visual_studio_atl_uninitialized_object", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:34:55", "description": "Added: 07/30/2009 \nCVE: [CVE-2009-0901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0901>) \nBID: [35832](<http://www.securityfocus.com/bid/35832>) \nOSVDB: [56696](<http://www.osvdb.org/56696>) \n\n\n### Background\n\nMicrosoft [Visual Studio](<http://msdn.microsoft.com/vstudio/>) is a product to assist with software development in the Windows operating system. Visual Studio uses Microsoft Active Template Library (ATL), which is a set of template-based C++ classes, to help simplify the programming of Component Object Model (COM) objects. \n\n### Problem\n\nA flaw in the way the Microsoft Active Template Library (ATL) handles certain ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized, leading to command execution when a user opens a specially crafted web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-035](<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx> \n\n\n### Limitations\n\nExploit works on Microsoft Visual Studio 2005 and requires a user to load the exploit page in Internet Explorer 6 or 7. In order for the exploit to succeed, Internet Explorer must have the option \"Initialize and script ActiveX controls not marked as safe\" set to \"Enable\", because the affected ActiveX control is marked not safe. Also note that, due to the nature of the vulnerability, the exploit only works when the exploit server is specified as an IP address rather than a host/domain name. \n\n### Platforms\n\nWindows XP \n \n\n", "cvss3": {}, "published": "2009-07-30T00:00:00", "type": "saint", "title": "Visual Studio Active Template Library uninitialized object", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0901"], "modified": "2009-07-30T00:00:00", "id": "SAINT:8FBDF77614BE31A34B6C4E1E6703BBDA", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/visual_studio_atl_uninitialized_object", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:23", "description": "Added: 07/30/2009 \nCVE: [CVE-2009-0901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0901>) \nBID: [35832](<http://www.securityfocus.com/bid/35832>) \nOSVDB: [56696](<http://www.osvdb.org/56696>) \n\n\n### Background\n\nMicrosoft [Visual Studio](<http://msdn.microsoft.com/vstudio/>) is a product to assist with software development in the Windows operating system. Visual Studio uses Microsoft Active Template Library (ATL), which is a set of template-based C++ classes, to help simplify the programming of Component Object Model (COM) objects. \n\n### Problem\n\nA flaw in the way the Microsoft Active Template Library (ATL) handles certain ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized, leading to command execution when a user opens a specially crafted web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-035](<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx> \n\n\n### Limitations\n\nExploit works on Microsoft Visual Studio 2005 and requires a user to load the exploit page in Internet Explorer 6 or 7. In order for the exploit to succeed, Internet Explorer must have the option \"Initialize and script ActiveX controls not marked as safe\" set to \"Enable\", because the affected ActiveX control is marked not safe. Also note that, due to the nature of the vulnerability, the exploit only works when the exploit server is specified as an IP address rather than a host/domain name. \n\n### Platforms\n\nWindows XP \n \n\n", "cvss3": {}, "published": "2009-07-30T00:00:00", "type": "saint", "title": "Visual Studio Active Template Library uninitialized object", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0901"], "modified": "2009-07-30T00:00:00", "id": "SAINT:76621B577D4A780FDF09854B31FC808F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/visual_studio_atl_uninitialized_object", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "description": "Added: 07/30/2009 \nCVE: [CVE-2009-0901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0901>) \nBID: [35832](<http://www.securityfocus.com/bid/35832>) \nOSVDB: [56696](<http://www.osvdb.org/56696>) \n\n\n### Background\n\nMicrosoft [Visual Studio](<http://msdn.microsoft.com/vstudio/>) is a product to assist with software development in the Windows operating system. Visual Studio uses Microsoft Active Template Library (ATL), which is a set of template-based C++ classes, to help simplify the programming of Component Object Model (COM) objects. \n\n### Problem\n\nA flaw in the way the Microsoft Active Template Library (ATL) handles certain ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized, leading to command execution when a user opens a specially crafted web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-035](<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx> \n\n\n### Limitations\n\nExploit works on Microsoft Visual Studio 2005 and requires a user to load the exploit page in Internet Explorer 6 or 7. In order for the exploit to succeed, Internet Explorer must have the option \"Initialize and script ActiveX controls not marked as safe\" set to \"Enable\", because the affected ActiveX control is marked not safe. Also note that, due to the nature of the vulnerability, the exploit only works when the exploit server is specified as an IP address rather than a host/domain name. \n\n### Platforms\n\nWindows XP \n \n\n", "cvss3": {}, "published": "2009-07-30T00:00:00", "type": "saint", "title": "Visual Studio Active Template Library uninitialized object", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-0901"], "modified": "2009-07-30T00:00:00", "id": "SAINT:98D7C8B136A847C4C1DF04E6AD6474E2", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/visual_studio_atl_uninitialized_object", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:32:45", "description": "Note: This advisory was resent because the list of packages was wrong. The flash-player is a web-browser plugin that allows displaying animated web-content and remote access to client hardware (mic, web-cam, etc.). A specially crafted Shockwave-Flash (SWF) file could cause a buffer overflow in the flash-player plugin. This buffer overflow can probably be exploited to execute arbitrary code remotely.\n#### Solution\nNo work-around, please update.", "cvss3": {}, "published": "2009-08-05T14:55:37", "type": "suse", "title": "remote code execution in flash-player", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2009-1865", "CVE-2009-1866", "CVE-2009-2493", "CVE-2009-1869", "CVE-2009-2395", "CVE-2009-1864", "CVE-2009-1863", "CVE-2009-1867", "CVE-2009-1870", "CVE-2009-1868", "CVE-2009-1862", "CVE-2009-0901"], "modified": "2009-08-05T14:55:37", "id": "SUSE-SA:2009:041", "href": "http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00001.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:38:48", "description": "The IBM Java 6 JRE/SDK was updated to Service Release 6, fixing various bugs and security issues.\n#### Solution\nThere is no known workaround, please install the update packages.", "cvss3": {}, "published": "2009-11-04T15:26:34", "type": "suse", "title": "remote code execution in java-1_6_0-ibm", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2009-2670", "CVE-2009-0217", "CVE-2009-2493", "CVE-2009-2625", "CVE-2009-2673", "CVE-2009-2674", "CVE-2009-2671", "CVE-2009-2672", "CVE-2009-2676", "CVE-2009-2675"], "modified": "2009-11-04T15:26:34", "id": "SUSE-SA:2009:053", "href": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:38:53", "description": "IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs and security issues.\n#### Solution\nThere is no known workaround, please install the update packages.", "cvss3": {}, "published": "2010-01-12T09:21:12", "type": "suse", "title": "remote code execution in java-1_5_0-ibm", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2009-2493", "CVE-2009-3876", "CVE-2009-3873", "CVE-2009-3872", "CVE-2009-3867", "CVE-2009-3875", "CVE-2009-3869", "CVE-2009-3874", "CVE-2009-3871", "CVE-2009-3877", "CVE-2009-3868"], "modified": "2010-01-12T09:21:12", "id": "SUSE-SA:2010:002", "href": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00001.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T23:08:29", "description": "[](<https://threatpost.com/openoffice-zaps-six-security-bugs-021810/>)OpenOffice.org has shipped a new version of the desktop productivity suite to patch six vulnerabilities that could expose users to malicious hacker attacks.\n\nThe flaws fixed in OpenOffice.org 3.2 could be exploited via GIF, XPM files and Microsoft Word document processing, according to an advisory released by the open-source group.\n\nHere\u2019s the skinny of the vulnerabilities:\n\n * [CVE-2006-4339](<http://www.openoffice.org/security/cves/CVE-2006-4339.html>): Potential \nvulnerability from 3rd party libxml2 libraries\n * [CVE-2009-0217](<http://www.openoffice.org/security/cves/CVE-2009-0217.html>): Potential \nvulnerability from 3rd party libxmlsec libraries\n * [CVE-2009-2493](<http://www.openoffice.org/security/cves/CVE-2009-2493.html>): OpenOffice.org 3 \nfor Windows bundles a vulnerable version of MSVC Runtime\n * [CVE-2009-2949](<http://www.openoffice.org/security/cves/CVE-2009-2949.html>): Potential \nvulnerability related to XPM file processing\n * [CVE-2009-2950](<http://www.openoffice.org/security/cves/CVE-2009-2950.html>): Potential \nvulnerability related to GIF file processing\n * [CVE-2009-3301/2](<http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html>): Potential \nvulnerability related to MS-Word document processing\n\nOpenOffice.org users are strongly urged to [download and apply](<http://download.openoffice.org/>) the patches.\n", "cvss3": {}, "published": "2010-02-18T15:09:26", "type": "threatpost", "title": "OpenOffice Zaps Six Security Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2006-4339", "CVE-2009-0217", "CVE-2009-2493", "CVE-2009-2949", "CVE-2009-2950", "CVE-2009-3301"], "modified": "2018-08-15T13:26:48", "id": "THREATPOST:DA06EE238F79D261C0FCB61902F3CDBD", "href": "https://threatpost.com/openoffice-zaps-six-security-bugs-021810/73556/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2022-01-19T16:03:50", "description": "\n\nOpenOffice.org Security Team reports:\n\nFixed in OpenOffice.org 3.2\nCVE-2006-4339: Potential vulnerability from 3rd party\n\t libxml2 libraries\nCVE-2009-0217: Potential vulnerability from 3rd party\n\t libxmlsec libraries\nCVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable\n\t version of MSVC Runtime\nCVE-2009-2949: Potential vulnerability related to XPM file\n\t processing\nCVE-2009-2950: Potential vulnerability related to GIF file\n\t processing\nCVE-2009-3301/2: Potential vulnerability related to MS-Word\n\t document processing\n\n\n", "cvss3": {}, "published": "2006-08-24T00:00:00", "type": "freebsd", "title": "openoffice.org -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-4339", "CVE-2009-0217", "CVE-2009-2493", "CVE-2009-2949", "CVE-2009-2950", "CVE-2009-3301", "CVE-2009-3302"], "modified": "2010-02-27T00:00:00", "id": "C97D7A37-2233-11DF-96DD-001B2134EF46", "href": "https://vuxml.freebsd.org/freebsd/c97d7a37-2233-11df-96dd-001b2134ef46.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}