Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Microsot Issues Fix for IE) Microsoft Visual Studio Active Template Library Bugs Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1023295 |
|
SecurityTracker URL: http://securitytracker.com/id/1023295
|
|
CVE Reference:
CVE-2009-2493
(Links to External Site)
|
Date: Dec 8 2009
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5.01 SP4, 6, 6 SP1, 7, 8
|
Description:
Several vulnerabilities were reported in Microsoft Visual Studio. A remote user can cause arbitrary code to be executed on the target user's system. Microsoft Internet Explorer is affected.
A remote user can create a specially crafted file that, when loaded by the target user, will trigger a flaw in the Microsoft Active Template Library (ATL) and execute arbitrary code on the target system. The code will run with the privileges of the target user.
A specially crafted ATL header can cause the VariantClear() function to be called on an incorrectly initialized VARIANT [CVE-2009-0901].
A specially crafted ATL header can invoke OleLoadFromStream() to instantiate arbitrary objects that can bypass related security policy [CVE-2009-2493].
A specially crafted string without a terminating NULL character may allow a remote user to obtain potentially sensitive information [CVE-2009-2495].
David Dewey of IBM ISS X-Force reported one of the vulnerabilities. Ryan Smith of VeriSign iDefense Labs reported the other two vulnerabilities.
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system or access potentially sensitive information on the target user's system.
|
Solution:
Microsoft has issued a fix for Internet Explorer, which is affected by CVE-2009-2493.
Microsoft Windows 2000 Service Pack 4, Internet Explorer 5.01 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=0cf37247-505a-4dc2-aad7-c8cb1a63b57a
Microsoft Windows 2000 Service Pack 4 , Internet Explorer 6 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=7fb6261c-6895-4f79-be2c-bb110874a19c
Windows XP Service Pack 2 and Windows XP Service Pack 3, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=facab13f-ea31-4c71-be4c-24e44ded174f
Windows XP Professional x64 Edition Service Pack 2, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=a253c19a-c808-4115-8bd0-cf312d396abd
Windows Server 2003 Service Pack 2, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=6659fc40-71ee-44a9-9656-8d3ee02b5bc0
Windows Server 2003 x64 Edition Service Pack 2, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=287e7921-8aab-42a6-b647-551d0a9adc15
Windows Server 2003 with SP2 for Itanium-based Systems, Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?familyid=9ce1a721-0c6a-4775-9407-9633d817d716
Windows XP Service Pack 2 and Windows XP Service Pack 3, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=def2c038-3b03-4162-a563-a6ebec756f37
Windows XP Professional x64 Edition Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=98a56425-4f88-4f0f-963b-dada8dc0d8f8
Windows Server 2003 Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=7bdba030-e2c6-44ac-bb5f-24ae8ec372a2
Windows Server 2003 x64 Edition Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=4de4bbcd-b1b8-4482-8ef7-0d9b4a730e0c
Windows Server 2003 with SP2 for Itanium-based Systems, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=72d44de7-dfc5-4667-a59f-2ee73d0e3708
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=40d26d40-4203-4013-b3f9-912a5b209fbd
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=3140527a-aa33-462b-b3a6-bfcd78b5aa0c
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=d0570536-756e-4fda-883d-f2a3c4ac5bbd
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=0e72d0f1-2ce7-4650-b72c-bb303351aafc
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2, Internet Explorer 7:
http://www.microsoft.com/downloads/details.aspx?familyid=2c7765a2-3117-4dd8-94b4-0060ca16871b
Windows XP Service Pack 2 and Windows XP Service Pack 3, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=6c003629-77bf-4735-bd4a-c37c4386f869
Windows XP Professional x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=0c9af3b5-d015-4025-bbb4-1a5113e9113f
Windows Server 2003 Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=0dd50357-64f2-4286-86ba-c512e65eed2a
Windows Server 2003 x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=e62aba15-5eeb-46a2-a142-bfca94016c55
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=47d5ada1-1d60-4233-bdd3-64918b5e1245
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=1e466b48-422f-4c80-8fdf-ba61111942b1
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=43660133-43e1-41f3-8a82-98c4a739914f
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=22972970-740f-4c50-93ec-f6d49dd1b360
Windows 7 for 32-bit Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=5af3be0b-2dd2-4039-90e1-2278e9c5aee5
Windows 7 for x64-based Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=9d9a04c8-a019-4943-8e93-c6bfd77c8960
Windows Server 2008 R2 for x64-based Systems*, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=bcb38127-787f-49b0-b3fb-62f6a8628d89
Windows Server 2008 R2 for Itanium-based Systems, Internet Explorer 8:
http://www.microsoft.com/downloads/details.aspx?familyid=2c1b96f2-b3c3-4711-a9ad-b2133ea7bf81
A restart is required.
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 08 Dec 2009 19:47:14 +0000
Subject: http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx
|
Microsoft Security Bulletin MS09-072 - Critical: Cumulative Security Update for Internet Explorer (976325)
CVE-2009-2493
|
|
Go to the Top of This SecurityTracker Archive Page
|
