ID: 3867
Date: 29/07/2009
Title: 3867 - Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Microsoft
Applications affected:Windows and Windows Server, Internet Explorer, Visual Studio and C++ Redistributable Package and ActiveX controls from multiple vendors
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Imminent
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Automated Patch
Source: Microsoft and US-CERT
Reliability of source: Trusted
Source URL: http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
Abstract: Microsoft has released out-of-band updates to address critical vulnerabilities in Microsoft Internet Explorer running on most supported versions of Windows. The updates also help mitigate attacks against ActiveX controls developed with vulnerable versions of the Microsoft Active Template Library (ATL).
National Cyber Alert System
Technical Cyber Security Alert TA09-209A
Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities
Original release date: July 28, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows and Windows Server
* Microsoft Internet Explorer
* Microsoft Visual Studio and C++ Redistributable Package
* ActiveX controls from multiple vendors
Overview
Microsoft has released out-of-band updates to address critical
vulnerabilities in Microsoft Internet Explorer running on most
supported versions of Windows. The updates also help mitigate
attacks against ActiveX controls developed with vulnerable versions
of the Microsoft Active Template Library (ATL).
I. Description
Microsoft has released updates for critical vulnerabilities in
Internet Explorer. The updates also include mitigations for attacks
against vulnerable ActiveX controls that were created using
vulnerable versions of the Active Template Library (ATL).
Vulnerabilities present in the ATL can cause vulnerabilities in the
resulting ActiveX controls and COM components. For example, the ATL
typographical error described in this Security Development
Lifecycle blog post caused the Microsoft Video ActiveX control
stack buffer overflow (VU#180513, CVE-2008-0015).
Any ActiveX control or COM component that was created with a
vulnerable version of the ATL may be vulnerable. For example, Adobe
and Cisco are affected.
II. Impact
By convincing a user to view a specially crafted HTML document
(e.g., a Web page, HTML email message, or HTML attachment), an
attacker may be able to execute arbitrary code.
III. Solution
System Administrators
To address the vulnerabilities in Internet Explorer and mitigate
attacks against vulnerable ATL-based ActiveX controls, apply the
updates described in Microsoft Security Bulletin MS09-034. Further
details about the ATL mitigations are available in a Microsoft
Security Research & Defense blog post.
Administrators should consider using an automated update
distribution system such as Windows Server Update Services (WSUS).
Developers
To stop creating vulnerable controls, update the ATL as described
in Microsoft Security Bulletin MS09-035. To address vulnerabilities
in existing controls, recompile the controls using the updated ATL.
Further discussion about the ATL vulnerabilities can be found in
the Security Development Lifecycle blog.
IV. References
* Vulnerability Note VU#456745 -
<http://www.kb.cert.org/vuls/id/456745>
* Vulnerability Note VU#180513 -
<http://www.kb.cert.org/vuls/id/180513>
* Vulnerabilities in Microsoft Active Template Library (ATL) Could
Allow Remote Code Execution -
<http://www.microsoft.com/technet/security/advisory/973882.mspx>
* Microsoft Security Bulletin MS09-34 -
<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx>
* Microsoft Security Bulletin MS09-35 -
<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>
* Protect Your Computer: Active Template Library, Security Updates -
<http://www.microsoft.com/security/atl.aspx>
* Microsoft Security Advisory 973882, Microsoft Security Bulletins
MS09-034 and MS09-035 Released -
<http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx>
* Black Hat USA Spotlight: ATL Killbit Bypass -
<http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx>
* ATL -
<http://msdn.microsoft.com/en-us/library/3ax346b7(VS.71).aspx>
* ATL, MS09-035 and the SDL -
<http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx>
* Internet Explorer Mitigations for ATL Data Stream Vulnerabilities -
<http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx>
* Microsoft Windows Server Update Services -
<http://technet.microsoft.com/en-us/wsus/default.aspx>
* Impact of Microsoft ATL vulnerability on Adobe Products -
<http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html>
* Cisco Security Advisory: Active Template Library (ATL)
Vulnerability -
<http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml>
* CVE-2008-0015 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0015>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-209A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-209A Feedback VU#456745" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
July 28, 2009: Initial release
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Wed, 29 Jul 2009 09:10:00 GMT
Domain affected: Technical