Vulnerability Note VU#456745

ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Original Release date: 28 Jul 2009 | Last revised: 24 Feb 2010


ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as "safe for scripting," which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as "safe for initialization," which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.


By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.


Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.

Update and recompile ActiveX controls

Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AdobeAffected-30 Jul 2009
Aurigma Inc. Affected28 Jul 200929 Jul 2009
Cisco Systems, Inc.Affected28 Jul 200929 Jul 2009
F5 Networks, Inc.Affected28 Jul 200929 Jul 2009
Microsoft CorporationAffected-28 Jul 2009
OSISoftAffected-04 Aug 2009
SoftArtisans, IncAffected28 Jul 200924 Feb 2010
SonicWallAffected28 Jul 200928 Oct 2009
Sun Microsystems, Inc.Affected-05 Aug 2009
Apple Inc.Not Affected28 Jul 200931 Jul 2009
IBM CorporationNot Affected28 Jul 200929 Jul 2009
LogicNPNot Affected28 Jul 200930 Jul 2009
VanDyke SoftwareNot Affected28 Jul 200904 Aug 2009
Alcatel-LucentUnknown28 Jul 200928 Jul 2009
America Online, Inc.Unknown28 Jul 200928 Jul 2009
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.

This document was written by Will Dormann.

Other Information


If you have feedback, comments, or additional information about this vulnerability, please send us email.