MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)

This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

Arbitrary code can be executed on the remote host through Microsoft
Active Template Library.

Description :

The remote Windows host contains a version of the Microsoft Active
Template Library (ATL), included as part of Visual Studio or Visual C++,
that is affected by multiple vulnerabilities :

- A remote code execution issue affects the Microsoft
Video ActiveX Control due to the a flaw in the function
'CComVariant::ReadFromStream' used in the ATL header,
which fails to properly restrict untrusted data read
from a stream. (CVE-2008-0015)

- A remote code execution issue exists in the Microsoft
Active Template Library due to an error in the 'Load'
method of the 'IPersistStreamInit' interface, which
could allow calls to 'memcpy' with untrusted data.
(CVE-2008-0020)

- An issue in the ATL headers could allow an attacker to
force VariantClear to be called on a VARIANT that has
not been correctly initialized and, by supplying a
corrupt stream, to execute arbitrary code.
(CVE-2009-0901)

- Unsafe usage of 'OleLoadFromStream' could allow
instantiation of arbitrary objects which can bypass
related security policy, such as kill bits within
Internet Explorer. (CVE-2009-2493)

- A bug in the ATL header could allow reading a variant
from a stream and leaving the variant type read with
an invalid variant, which could be leveraged by an
attacker to execute arbitrary code remotely.
(CVE-2009-2494)

See also :

http://technet.microsoft.com/en-us/security/bulletin/MS09-037

Solution :

Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista and 2008.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 40556 ()

Bugtraq ID: 35558
35585
35828
35832
35982

CVE ID: CVE-2008-0015
CVE-2008-0020
CVE-2009-0901
CVE-2009-2493
CVE-2009-2494