|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#456745
ActiveX controls built with Microsoft ATL fail to properly handle initialization data
OverviewActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
I. DescriptionMicrosoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as "safe for scripting," which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as "safe for initialization," which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.II. ImpactBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code. III. SolutionApply an update
This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.
Update and recompile ActiveX controls
Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.
Disable ActiveX
Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
| Adobe | Vulnerable | | 2009-07-30 |
| Alcatel-Lucent | Unknown | 2009-07-28 | 2009-07-28 |
| America Online, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Apple Inc. | Not Vulnerable | 2009-07-28 | 2009-07-31 |
| Attachmate | Unknown | 2009-07-28 | 2009-07-28 |
| Aurigma Inc. | Vulnerable | 2009-07-28 | 2009-07-29 |
| Axis | Unknown | 2009-07-28 | 2009-07-28 |
| BT | Unknown | 2009-07-28 | 2009-07-28 |
| Business Objects | Unknown | 2009-07-28 | 2009-07-28 |
| Callisto Corporation | Unknown | 2009-07-28 | 2009-07-28 |
| Cisco Systems, Inc. | Vulnerable | 2009-07-28 | 2009-07-29 |
| Computer Associates eTrust Security Management | Unknown | 2009-07-28 | 2009-07-28 |
| Computer Emergency Response Team Brazil | Unknown | 2009-07-28 | 2009-07-28 |
| Corel Corporation | Unknown | 2009-07-28 | 2009-07-28 |
| E-Book Systems Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| eBay | Unknown | 2009-07-28 | 2009-07-28 |
| Electronic Arts | Unknown | 2009-07-28 | 2009-07-28 |
| ESET, LLC. | Unknown | 2009-07-28 | 2009-07-28 |
| F5 Networks, Inc. | Vulnerable | 2009-07-28 | 2009-07-29 |
| GameTap-Turner Broadcasting subsidiary | Unknown | 2009-07-28 | 2009-07-28 |
| GOVCERT-NL | Unknown | 2009-07-28 | 2009-07-28 |
| Gracenote | Unknown | 2009-07-28 | 2009-07-28 |
| Hewlett-Packard Company | Unknown | 2009-07-28 | 2009-07-28 |
| Husdawg | Unknown | 2009-07-28 | 2009-07-28 |
| IBM Corporation | Not Vulnerable | 2009-07-28 | 2009-07-29 |
| Iconics, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| IncrediMail Ltd. | Unknown | 2009-07-28 | 2009-07-28 |
| Infotriever, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| InterActual Technologies, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Intuit, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Juniper Networks, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Kodak Easy Share Gallery | Unknown | 2009-07-28 | 2009-07-28 |
| Lenovo | Unknown | 2009-07-28 | 2009-07-28 |
| LizardTech, Inc | Unknown | 2009-07-28 | 2009-07-28 |
| LogicNP | Not Vulnerable | 2009-07-28 | 2009-07-30 |
| Lotus Software | Unknown | 2009-07-28 | 2009-07-28 |
| Media Technology Group | Unknown | 2009-07-28 | 2009-07-28 |
| Microsoft Corporation | Vulnerable | | 2009-07-28 |
| Motive | Unknown | 2009-07-28 | 2009-07-28 |
| Move Networks, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Namzak Labs Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Nokia | Unknown | 2009-07-28 | 2009-07-28 |
| Novell, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Oracle Corporation | Unknown | 2009-07-28 | 2009-07-28 |
| OSISoft | Vulnerable | | 2009-08-04 |
| Panda Software Ltd. | Unknown | 2009-07-28 | 2009-07-28 |
| PNI Digital Media | Unknown | 2009-07-28 | 2009-07-28 |
| Radiant Systems | Unknown | 2009-07-28 | 2009-07-28 |
| RealNetworks, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Research in Motion (RIM) | Unknown | 2009-07-28 | 2009-07-28 |
| SafeNet | Unknown | 2009-07-28 | 2009-07-28 |
| SAP | Unknown | 2009-07-28 | 2009-07-28 |
| ScriptLogic | Unknown | 2009-07-28 | 2009-07-28 |
| Siemens | Unknown | 2009-07-28 | 2009-07-28 |
| Simba Technologies | Unknown | 2009-07-28 | 2009-07-28 |
| SoftArtisans, Inc | Unknown | 2009-07-28 | 2009-07-28 |
| SonicWall | Vulnerable | 2009-07-28 | 2009-10-28 |
| Sun Microsystems, Inc. | Vulnerable | | 2009-08-05 |
| SupportSoft, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| SwiftView | Unknown | 2009-07-28 | 2009-07-28 |
| Symantec | Unknown | 2009-07-28 | 2009-07-28 |
| Trend Micro | Unknown | 2009-07-28 | 2009-07-28 |
| Unigraphics Solutions | Unknown | 2009-07-28 | 2009-07-28 |
| VanDyke Software | Not Vulnerable | 2009-07-28 | 2009-08-04 |
| View22 | Unknown | 2009-07-28 | 2009-07-28 |
| WeOnlyDo! Software | Unknown | 2009-07-28 | 2009-07-28 |
| WinZip Computing, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
| Worldspan | Unknown | 2009-07-28 | 2009-07-28 |
| Xerox | Unknown | 2009-07-28 | 2009-07-28 |
| Yahoo, Inc. | Unknown | 2009-07-28 | 2009-07-28 |
References
http://www.kb.cert.org/vuls/id/180513
http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
http://www.microsoft.com/security/atl.aspx
http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
http://blogs.technet.com/ecostrat/archive/2009/07/27/threat-complexity-requires-new-levels-of-collaboration.aspx
http://www.microsoft.com/technet/security/advisory/973882.mspx
http://msdn.microsoft.com/en-us/library/ms680103(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx
http://msdn.microsoft.com/en-us/library/t9adwcde(VS.80).aspx
http://support.microsoft.com/kb/168371
http://support.microsoft.com/kb/240797
http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html
http://www.adobe.com/support/security/advisories/apsa09-04.html
http://www.adobe.com/support/security/bulletins/apsb09-10.html
http://www.adobe.com/support/security/bulletins/apsb09-11.html
http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html
http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx
http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx
http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx
http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx
Credit
Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.
This document was written by Will Dormann.
Other Information
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|