Vulnerability Note VU#456745
ActiveX controls built with Microsoft ATL fail to properly handle initialization data
ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.
Apply an update
This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.
Update and recompile ActiveX controls
Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.
Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.
If you are a vendor and your product is affected, let
us know.View More »
|Vendor||Status||Date Notified||Date Updated|
|Adobe||Affected||-||30 Jul 2009|
|Aurigma Inc. ||Affected||28 Jul 2009||29 Jul 2009|
|Cisco Systems, Inc.||Affected||28 Jul 2009||29 Jul 2009|
|F5 Networks, Inc.||Affected||28 Jul 2009||29 Jul 2009|
|Microsoft Corporation||Affected||-||28 Jul 2009|
|OSISoft||Affected||-||04 Aug 2009|
|SoftArtisans, Inc||Affected||28 Jul 2009||24 Feb 2010|
|SonicWall||Affected||28 Jul 2009||28 Oct 2009|
|Sun Microsystems, Inc.||Affected||-||05 Aug 2009|
|Apple Inc.||Not Affected||28 Jul 2009||31 Jul 2009|
|IBM Corporation||Not Affected||28 Jul 2009||29 Jul 2009|
|LogicNP||Not Affected||28 Jul 2009||30 Jul 2009|
|VanDyke Software||Not Affected||28 Jul 2009||04 Aug 2009|
|Alcatel-Lucent||Unknown||28 Jul 2009||28 Jul 2009|
|America Online, Inc.||Unknown||28 Jul 2009||28 Jul 2009|
Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.
This document was written by Will Dormann.
If you have feedback, comments, or additional information about this vulnerability, please send us email.